Not sure I buy into this Mantra. Frankly, if you can't detect it, how can you possibly hope to prevent it?

In most practical ways, I think the Mantra should be more like:

"That which can be detected with accuracy should be prevented; that questionable activity which cannot be prevented should be reported on with as much detail, and in as short of period of time as possible"

Good points. Maybe that should be written differently.

My point was that through least privilege in IPS, you can prevent an attack before you know how to detect it. Anything not registered as normal behaviour will be considered anomalous, and thus blocked/prevented. And if you cannot prevent it, you better have some form of detecting it (alerts, alarms etc) so you can apply human heuristics.

Sorry I didn't make it more clear. I knew what I meant :)

Ah, that does clarify things for me somewhat - I have to admit to having a VERY strong network bias when thinking about IPS, and standard controls such as Firewalls (where least privilege more strongly applies) and such are not something I typically include in my thinking - and where anomalous activity is not always a sufficient basis upon which to apply strict controls.

Least privilege at the host level is an entirely different discussion, and more entwined with a variety of IPS type (anomaly-based) controls that would apply.

And I am the opposite. I have a bias to the host, the last line of defense. I find the idea of IPS on the network kinda silly. False positives can render entire networks dead if configured incorrectly, and most real traffic that is being tunneled through (SSH, SSL, IPSec etc) cannot be monitored anyways.

At least on the host, after the decryption occurs, we can make a better assessment to the nature and intent of the code, and determine if an attack vector is present through understanding how the application works.

Of course, I am not saying that techical safeguards shouldn't exist on the network. Far from it. We need the layers of defense. But I think the traditional way of looking for 'blacklist' actions alone is faulty; we need to understand application behaviour and make whitelists of acceptable (and controllable) behaviour of our systems.