Beyond traditional threat detection
There is a widening gap between the sophistication of cyber attacks and the traditional methods used by many organizations to detect and neutralize these threats. The industry is at a critical juncture, requiring a shift from outdated paradigms to innovative approaches that can effectively combat evolving threats. The opportunity lies in recognizing and addressing this gap in thinking.
The industry’s struggle with detection
Currently, organizations are primarily focusing on three main threat detection strategies: deploying firewalls, leveraging Endpoint Detection and Response (EDR) systems, and using deterministic decision-making tools. Firewalls and EDRs are designed to identify and block malicious software by relying on known signatures and attack patterns. Deterministic tools, on the other hand, aim to distinguish malicious from benign activities by analyzing data and making binary decisions about what poses a threat.
However, this traditional approach is increasingly proving inadequate in the face of advanced tactics such as ‘living off the land’ (LotL) attacks. LotL attacks are particularly challenging because they use legitimate tools and processes within a target’s environment to perform malicious activity, bypassing traditional detection mechanisms. There is no malware to flag, no signatures used to detect it, and no clear indicators of compromise to catch with traditional tools. This is where the crux of the problem lies: existing tools are not equipped to tackle such nuanced and covert threats.
Technical Director EMEA of Corelight.
The gap in industrial thinking
The key gap in the industry’s cyber approach is the reliance on deterministic tools that are inherently limited in dealing with advanced persistent threats (APTs) and LotL techniques. Companies often believe that their current arsenal of cybersecurity tools is sufficient, but fail to realize that these tools are not designed to counter the subtle and sophisticated methods used by modern attackers.
A major oversight is the lack of temporal awareness in threat detection. Companies tend to think in terms of detecting threats based on current activities (using TTPs – tools, techniques and procedures), but do not consider the historical context of an attack. This shortsightedness is problematic because advanced attackers can remain in a network for extended periods of time, waiting for the right moment to strike. Without the ability to look back in time and analyze past activity, organizations can misidentify long-term intrusions that have already infiltrated their systems.
Embracing a new approach
To bridge this gap, a new path forward involves three key shifts in thinking:
1. Apply retrospective analysis: Organizations must build in solutions that enable retrospective analysis, allowing them to look back in time and examine past activities for signs of an undetected breach. This approach requires preserving and analyzing historical data, massive amounts of data, which can reveal patterns and anomalies not visible in real-time analysis.
2. Using behavioral analyses: Instead of relying solely on deterministic tools, companies should adopt behavioral analytics that can detect deviations from normal behavior. This includes creating basic profiles of typical activities and identifying outliers that could indicate a security breach. Behavioral analytics, such as an IP camera that exfiltrates files, are particularly effective at detecting LotL attacks, where traditional signature-based detection fails.
3. Learn from elite defenders: The practices of elite defenders such as financial institutions and top-level government agencies provide valuable insights. Rather than relying solely on traditional methods, these organizations use advanced threat hunting techniques and continuous monitoring to stay one step ahead of attackers. Companies should learn from these forward-thinking approaches and integrate them into their own cybersecurity strategies.
Moving forward
In conversations with customers, there’s often an “aha” moment when they realize the limitations of their current tools and understand the importance of historical data in detecting advanced threats. By illustrating real-world examples, such as longer attacker dwell times in high-profile breaches, cybersecurity professionals can highlight the need for a more comprehensive and proactive approach.
Ultimately, closing the cybersecurity gap requires recognizing that traditional tools and methods are no longer sufficient. Embracing retrospective analytics, behavioral analytics, and learning from elite defenders will enable organizations to detect and neutralize even the most sophisticated threats. By closing this gap in thinking, companies can improve their security posture and better protect their critical assets in an increasingly complex threat landscape.
We recommended the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here:
