In my mind preventative might be something like deploying patches to IT systems whenever a new CVE# is published where this an available patch to prevent that exploit occurring.
I know this could be considered mitigation but for me mitigation is more about an active attack exploiting that vulnerability where other actions can take place to not just prevent
but also potentially respond to the attacker in ways as part of an overall mitigation of the attacker not just âpreventâ in the 1st place.
Remediation occurs when an exploit was successful and systems need to be cleaned up and potentially further changes occur as part of the remediation recommendations that would prevent
further exploits.
I agree all of these descriptions overlap somewhat. But in general I think they all represent slightly different events in time over the lifecycle of the SecOps team.
Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions
I'd like some help in better understanding the Preventative action type.
What is unique to a Preventative action that is different from Remediative or Mitigative? I recognize that there is some overlap, however it would be great to have 1 example to demonstrate the uniqueness of Preventative that would qualify it as needing its
own action type.
In order to try and get my head around this, I did a quick matrix of the current examples and mapped them to each action type. What I'm not seeing is a use case where Preventative
would not have already been categorized as either mitigative or preventative.
Does anyone have a good and unique example for Preventative?
|
Known Threat
|
Blocking Rules
|
Affect Policies
|
Blackhole
|
Sinkhole
|
Blacklist
|
Patch
|
Investigative
|
Maybe
|
N
|
N
|
N
|
N
|
N
|
N
|
Mitigative
|
Y
|
Y
|
Y
|
Y
|
Y
|
Y
|
Y
|
Remediative
|
Y
|
Y
|
Y
|
|
|
|
Y
|
Preventative
|
Y
|
Y
|
Y
|
Y
|
Y
|
Y
|
Y
|