Daily network security breaches are the norm. They're expected in our current environment, where malware and malicious systems routinely and effectively use artificial intelligence to enhance breach methods. Meanwhile, security practitioners are only beginning to use similar technologies such as machine learning to counter breaches.
Attackers use intelligent, automated tools to continuously poke and prod every public IP address range, network port and network security defense, looking for openings. Nation-states fund onslaughts against enterprise and government systems. Through all these efforts, advanced persistent threats and advanced malware gain access to company systems with stealth; too often they dwell in networks for months or years without detection. The proof appears regularly in the press, with Yahoo's one billion account catastrophe only one of the latest network rifts reported. This is why a breach detection system is so essential.
Breach detection systems explained
A breach detection system -- sometimes referred to as BDS or active threat detection -- is crucial to identifying threats inside your network. Before you consider investing in a BDS, you need to know what capabilities and features are available.
Breach detection systems are hardware- or software-based products that recognize active threats and adversaries already operating inside a network. A BDS alerts IT security groups to the presence of these threats so that security staff can intervene. There is no better time to make certain that you have the best breach detection tool for your organization.
Breach detection systems add algorithms -- mathematical, problem-solving equations -- and analytics to reach beyond the abilities of existing static signature- and rules-based detection methods, including legacy heuristics approaches.
"These new methods find suspicious behaviors in users, networks, hosts and applications," said Eric Ahlm, security research director at Gartner. "Using algorithms to watch these behaviors greatly increases your chances of finding an attack that was previously unknown -- no signature or rule will find these. The algorithms can detect behavior deviations -- statistically -- or match known behaviors to new behaviors." This is an improvement on older methods such as whitelisting and data policies, which BDS systems still employ, along with risk assessments.
How breach detection tools work
BDS products come in different flavors. User and entity behavioral analytics (UEBA) looks at user behavior -- whether the user is a person, machine or system. You can deploy UEBA as a network-based system, a host-based system or a combination of the two; the latter is typically preferable.
The best network behavior analysis (NBA) products will rally deep packet inspection, machine learning, statistical analysis and threat intelligence to detect malicious and anomalous network behavior. You can consider NBA as a form of BDS.
Endpoint detection and response products perform breach detection. These agent-based tools look at what's happening on the endpoint, including OS and application behaviors.
Features to look for (or avoid)
According to Ahlm, you should look for a breach detection system that finds the most threats, locates breaches faster and analyzes attacks more accurately. You should determine what system does these things best for you based on vendors' references and your trials of select products. Look for products that present the fewest false positives, which add noise to the many alerts IT security must already wade through. A comprehensive system that addresses roaming endpoints that reconnect to the corporate network is most desirable since these endpoints can contract malware while on home networks and wireless hotspots.
The ideal BDS system will offer real-time analysis of the greatest amounts of data and traffic, whether from users, networks, endpoints or applications. Out-of-band systems are better at identifying threats that are already living inside your network, since in-band systems look at data as it is coming into the network, just as firewalls do. You should choose an out-of-band system.
A BDS must outsmart the artificial intelligence that attackers build into their malicious systems. Advanced malware uses evasive maneuvers to avoid detection by BDSes. These maneuvers include recognizing sandbox and analysis environments and choosing to remain dormant while in these sandboxes -- or even escaping them.
Capable BDS vendors will maintain threat intelligence about new evasion methods and regularly update their products with new behavioral information and other measures able to detect evolving malware strains. Look for vendors that continue to make advances in new detection techniques; sandboxing with threat analysis alone will not be enough.
You should select a product that empowers you to follow detection with a thorough, multi-pronged response. Look for a BDS that allows automatic and manual breach response and remediation options -- such as isolating affected machines and network segments, dropping associated network connections, and scanning and analyzing the rest of the network to identify all traces of similar breaches.
A BDS should easily integrate and interoperate with other security tools. Open APIs are one approach to enabling integrations.
Endpoint detection and response (EDR) tools are becoming increasingly essential to a layered approach, even if they mean you must consider more than one breach detection system. When choosing EDR tools, select products that use software agents on the endpoint device; these are more robust than simply pulling log files for analysis.
"The smart EDR products watch every change that happens on the device and report it for analysis," Ahlm said. While some agents can respond to breaches at IT security's discretion by reverting malicious changes and killing bad processes, most breach detection systems use a human element to determine a response to an alert. Where available, choose a system that offers both options, as you may want to automate for some detections and respond manually for others.
You should avoid breach detection systems that uncover only particular types of threats rather than the full spectrum of adversaries and infections. A system should detect targeted phishing attacks as well as general malware, ransomware attacks and zero days. "The purchasing question is, at the end of four or five years, how many threat detection systems do you want to own?" Ahlm asked.
The bottom line
Form a strategy for identifying, examining and selecting breach detection systems based on the results of an analysis of your key risks and an understanding of how a breach detection system must fit into your business continuity and disaster recovery planning. Talk to vendor references, preferably in person. Select a few best BDS providers and systems to investigate further. Determine which system to evaluate in a thorough trial. If a system ultimately proves inadequate over a six-month trial, reassess product options and approach the selection process again.
Learn more about various categories of insider threat detection tools
Behavioral threat analytics aids network systems and data protection
Ways to defend against the threat of a mobile breach