I want to offer an alternative middle-ground viewpoint today that I feel would often help: We should focus on impact control, rather than just on either/or detecting/mitigating or protecting (we should do these too). In other words, why not assume that your defenses will be hacked, and then figuring out ways to ensure that the impact of compromises is limited. For example, if credentials get stolen (the recent US IRS hack is one of those examples), then the hacker acts as an authorized individual. Therefore, impact should be controlled for any activities of insiders and outsiders (irrespective of whether they are known to be malicious or benign).
The fine-grained access control and model-driven security discussed on this blog for years have really always been about exactly that: Minimize access to information resources to users based on fine-grained, contextual access policies, so that the impact of both accidental and malicious compromise remains limited. In the example of the abovementioned IRS hack, why did the stolen credential need access to so many records? In the Wikileaks case, why did Manning need access to so much information.
In other words, impact can be controlled by implementing reliable (true!) least privilege access control, so that only the minimum necessary information can be accessed. And I am not talking about least privilege in the "poor man's solution" of privileged account management. I am talking about fine-grained, contextual access policies. This will usually require complex access control systems such as Attribute-Based Access Control (ABAC), which comes with the cost of being unwieldy and complex. Model-Driven Security (MDS), as discussed on this blog for years, helps make ABAC manageable, even in dynamically changing IT landscapes (e.g. SOA, M2M, IIoT etc.). (by the way, our OpenPMF product helps implement ABAC with MDS).
Please spread the word that we need to also control impact, rather than just (1) putting up defenses, and once compromised, much/everything can be stolen; (2) monitoring for compromises and hopefully mitigating before it is too late. (1)+(2) alone are clearly failing.