E-Handbook:

Threat detection and response demands proactive stance

stock.adobe.com

Threat detection and response tools evolve and mature

A variety of threat detection and response tools, such as XDR, are evolving into platforms to help enterprises share information and stay ahead of cybersecurity threats.

Threats such as malware and denial-of-service attacks have been around since the earliest days of the internet, and the cybersecurity industry has created generations of threat detection and response tools to identify and remediate them. As cybersecurity threats continue to evolve and advance, the tools to identify and stop them need to evolve as well.

The latest trend is to consolidate security tools onto a framework that incorporates AI to share information and speed threat identification.

Old vs. new cyberthreats

Early software exploits weren't overly sophisticated, nor did they need to be. Regularly scheduled OS and application security patches weren't the norm at that time, so the same exploits were used repeatedly with great success by bad actors and script kiddies looking for ways to wreak havoc.

That changed with the advent of commercial antivirus software. Early antivirus iterations can be thought of as static databases that contained signatures of known malicious threats. The software would scan the end user's OS, applications and data, and could then identify and delete files containing malicious software signatures. At the time, antivirus was adequate in finding and blocking the execution of existing threats on a device-by-device basis.

But antivirus didn't stop bad actors from trying to keep one step ahead of the newly emerging digital threat prevention market. Well-organized hacker groups and nation-states understood that businesses were increasingly relying on digital content -- and they aimed to capitalize on that reliance. As a result, modern threats have evolved to take on these characteristics:

  • constantly changing and evolving malware code, making signature identification more difficult;
  • decentralized threats that are more efficient and harder to track;
  • attacks planned and executed without notice and zero-day threats, which are nearly impossible to detect using legacy signature-matching security tools;
  • targeting businesses and users with a variety of phishing techniques to trick them into executing malicious code; and
  • a combination of multiple threats to attack a single target.

These evolved threats are often referred to as advanced persistent threats. Highly skilled hackers plot, plan and execute an attack over days, weeks or months to identify and exploit technological weaknesses in threat prevention tools and processes.

Evolving threat detection and response tools

As the methods and practices used to attack digital assets become more refined, the security tools to combat the threats must evolve as well. When it comes to cybersecurity risk mitigation, the tools and processes for each segment of a company's IT infrastructure need to be evaluated and addressed.

A defense-in-depth strategy that uses a layered security tool approach originally came into play to shore up server OS, applications, data and the underlying corporate network security. IT security teams would commonly deploy cybersecurity tools that operated independently from other tools and often overlapped in terms of threat identification and alerts.

A layered, multipoint-based cybersecurity framework proved to be relatively successful for a while, until bad actors learned how to exploit gaps caused by a lack of information sharing between tools. At the same time, IT security administrators were constantly struggling to manage and consolidate massive amounts of threat data -- as well as the false positive alerts that became the norm.

As a result, security tools that once operated independently are now being consolidated so threat information can be shared for faster threat identification with fewer false positives. This capability requires modern tools to be built on a framework that incorporates AI and global threat intelligence services.

AI allows behavioral baselines to be established and enables continuous monitoring and immediate alerts when behaviors veer above baseline thresholds. Tapping into global threat intelligence improves the speed at which tools can be updated with known and potential threats.

Here are some of the threat detection and response tools currently being deployed by enterprises and their capabilities:

Endpoint detection and response (EDR)

Like antivirus applications of old, EDR protects various endpoints on and off the network. EDR collects and analyzes data on endpoint device health to identify potential threats. In addition, EDR platforms track where suspicious activity has occurred over time and its potential effect on other end devices. Collected data is stored in a centralized database where it can be further analyzed and used to provide real-time and historic visibility of malicious events, as well as AI-derived threat mitigation steps.

Network detection and response (NDR)

Instead of collecting and monitoring endpoint device threat data, NDR platforms track and create baselines for network traffic to identify suspicious network communication behavior that could threaten the network and devices residing on the network. These platforms can be viewed as AI for IT operations with an AI focus on security as opposed to network performance. For example, NDR can identify command-and-control threats, misconfigured devices at risk of exploitation and other unusual network communications behaviors. The common sources of NDR data include network device logs, NetFlow data, packet captures and real-time network telemetry streams.

Extended detection and response (XDR)

As the most recent entry to the market, XDR is often described as an expansion of EDR with some NDR elements added to provide a holistic view of an enterprise's cyberthreat landscape. EDR provides detection data that's analyzed and acted on when a cybersecurity incident occurs. But, as a SaaS-based security threat detection and incident response tool that combines multiple security tools into a unified platform, XDR delivers deeper and wider visibility, stronger AI and improved automation capabilities. Since XDR enables an organization to identify and stop threats before damage is done, it's considered far more proactive than EDR alternatives. From a visibility perspective, XDR is a major improvement over EDR because it pulls in security information from multiple sources across the corporate network and cloud -- not just endpoints.

Managed detection and response (MDR)

Unlike the three aforementioned threat detection and response tools, MDR isn't a new technology. Rather, MDR changes the way detection and response services are delivered to the customer. Instead of requiring an enterprise to purchase EDR, NDR and XDR services managed by its in-house cybersecurity staff, an MDR service provider protects the company's endpoints and infrastructure. That's especially useful for organizations lacking technical in-house security staff to manage these modern and sophisticated cybersecurity tools.

This was last published in February 2021

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

SearchCloudSecurity
SearchNetworking
SearchCIO
SearchEnterpriseDesktop
SearchCloudComputing
ComputerWeekly.com
Close