In my previous blog, I talked about “how SOC detect attacks” and SIEM , but this one is slightly non-technical but more Interesting and Contextual at the same time !

When people start learning Cybersecurity, prevention feels like the only Main Goal.

Block the ATTACKS anywayyyy* !

Stop the BAD HACKERS !

Secure SYSTEMS !

PROBLEM SOLVED 👌.

But, while studying real incidents and how environments actually behave, something becomes obvious :

Preventing attacks is difficult, agreed !

BUT, DETECTING them is even HARDER 💯 !

At first, this sounds strange. If something enters a system, shouldn’t it be EASIER to notice than to STOP it ? In practice, IT’S THE OPPOSITE.

THIS BLOG IS ABOUT WHY.

PREVENTION Has Clear Rules. DETECTION Deals with UNCERTAINITY.

Prevention is based on defined controls.

EXAMPLES :

• firewall blocks unauthorized ports..
• Authentication requires credentials.
• Access policies restrict permissions.
• ANTI-VIRUS blocks known* Malware.

These are RULE-BASED protections.
Something is just ALLOWED or just BLOCKED !

Detection is Different, it asks :

Is this activity NORMAL or SUSPICIOUS ???

and, NORMAL isn’t FIXED.

Systems produce a HUGE amount of NORMAL ACTIVITY

Modern environments generate massive volume of events :

• Logins
• File access
• Network connections and behavior
• Process execution
• Automated tasks

Most of this activity is legitimate and attackers do not create completely new behavior.

They HIDE inside EXISTING and NORMAL looking behavior.

Detections must find rare malicious patterns inside large amount of existing normal activity.

it’s like trying to notice ONE UNUSUAL CONVERSATION INSIDE A HUGE AND CROWDED STADIUM.

Attackers Use legitimate Access

many defensive controls are designed to block unauthorized access, But what if ;

THE ACCESS IS TECHNICALLY VALID ???

Examples are very common and seen often ;

• stolen credentials
• misused admin privileges
• compromised user accounts
• legitimate tools used for harmful actions

from the system’s perspective, the activity may look normal ;

Valid login. Authorized command. Allowed network traffic. etc

So, the automated prevention may not appear from security tools like ; SIEM or EDR or Firewall.

Detection must interpret INTENT, not just valid permission 1

and configuring this much harder than you think.

“NORMAL” behavior isn’t “STABLE”.

Detection depends heavily on understanding baseline behavior, but ENVIRONMENTS AND CONDITIONS ARE DYNAMIC :

• new user login
• software updates change activity patterns
• work habit shifts
• automation increases

basically, something unusual today may become very normal tomorrow.

and, this creates moving and unstable targets for DEFENDERS.

“FALSE POSITIVES” and “MISSED ATTACKS”

detection systems must balance two risks ;

TOO SENSITIVE -- many false alerts
TOO STRICT -- real threats missed

so, DETECTION requires JUDGEMENT, not just ENFORCEMENT – that’s why we need humans !

Visibility is Never Perfect

detection depends on available data, but visibility always has gaps :

• not all systems log equally
• some activity in encrypted
• monitoring coverage diffrentiates
• configuration mistakes happen – normal
• storage limitation

prevention can operate at specific control points.
detection must piece together incomplete information.

security decisions are most of the times made with partial evidence !

The Time Factor

prevention happens immediately.
detection happens after activity begins.

attackers may :

• move slowly to bypass sensitive detection rules
• blend into routine and normal operations
• spread activity across systems
• avoid triggering thresholds

if behavior appears low-risk, it many not attract attention until patterns accumulate.

no attention > no detection > no action > no response > COOKED FR!

basically, DETECTION IS A RACE AGANIST ATTENTION !

Prevention and Detection Are Not Opposites

it may sound like :

prevention is better, detection is secondary.

that’s not accurate.

Both are equally necessary.
Prevention reduces attack surface.
Detection identifies what bypassed controls.

no environment prevents everything.

PERFECTION IS DELUSION !

Final thoughts

prevention asks : “should it be allowed ?”

detection asks : “what does this activity actually mean ?”

detection is challenging because it deals with :

• normal behavior variation
• legitimate access misuse
• incomplete visibility
• uncertain signals
• human decision-making

And,

Technology can generate alerts, But humans must interpret them.

analysts configure :

• context
• impact
• intent
• pattern significance

this process involves reasoning, not just rule matching !

security isn’t about only stopping attacks at the door.
it’s also about “something in the environment doesn’t makes sense”

and understanding ‘WHAT DOES NOT MAKES SENSE” is the hardest problem in cybersecurity.