Why have cyber incidents topped the Allianz Risk Barometer for the last two years in a row?
Growing attack surfaces are partly responsible. Remote work, cloud migration, IoT use and other trends give cyber threats more places to enter and hide within networks. But there is another cause – deficiencies in the standard approach to threat detection and response.
The best-of-breed tools that security operation centres (SOCs) rely on to identify and react to malicious activity are disconnected, disparate and unable to meet the demands of the modern IT environment. The symptoms of this malaise: security team burnout, longer threat dwell times, and increased MTTD, are everywhere. It takes over 212 days to detect the average data breach.
What’s needed is a root-and-branch approach to reimagining threat detection. To give back the advantage to defenders in 2023 and beyond, effective threat detection tools need to work on three key capabilities described below.
Few firms that can facilitate remote working are returning to being 100% on-premises. As a result, organisations in every sector are witnessing a continued exponential increase in network complexity. Cybersecurity tooling needs to keep up.
Learn more: Network detection and response tools for remote working
The modern hybrid and remote enterprise IT environment is filled with complicated interactions between networks, endpoints and cloud instances (private and public) across thousands of remote locations. This means more places for threats to enter networks, more assets and sensitive data to compromise and more complicated threat behaviour.
As attack surfaces sprawl, security controls are becoming increasingly unevenly applied, and 70% of organisations now say they can’t ensure the same level of protection for every endpoint. In response, defenders need security tools to see and respond to potential threats across their networks and within endpoints through methodologies like deep packet investigation. Isolated detection and response won’t cut it anymore.
Defenders need threat detection solutions that can spot threats in remote and hybrid environments. Specifically, security teams need a way to mitigate threats that hide within east-west traffic and compromise cloud environments. They also need to see this information in the context of what is happening on endpoints and servers. Remote blindspots shouldn’t be a thing.
Interest in artificial intelligence (AI) has recently risen to an all-time high. But AI that delivers measurable ROI on security has long been a proven capability within threat detection and response platforms like SenseOn.
To aid threat detection, AI and machine learning (ML) can model typical user and device behaviour. This creates a baseline of “normal” network behaviour that can be used to detect insider threats that don’t trigger signature-based rules.
AI can also play a more significant role within the SOC, helping analysts understand novel threats and improving advanced threat detection. This is critically important because over half of IT security and SOC decision-makers are unsure they have the skills to prioritise and respond to alerts.
Organisations that use security automation for purposes like this save an average of over £1 million when remediating security breaches. However, AI algorithms and systems are only as good as the data they receive. Security providers that bolt AI onto an existing offering will fail to deliver real value without overhauling how they collect and process data.
Instead, defenders need threat detection and response solutions built around AI threat detection and response capabilities from the ground up. This means harvesting data from endpoints, networks, user behaviour and other sources in a universal format and then inputting it into an AI system trained on proven threat frameworks like MITRE ATT&CK.
Learn more: Automating the MITRE ATTACK framework
What happens when you have multiple point solutions – endpoint detection and response (EDR), intrusion prevention system (IPS), intrusion detection system (IDS), etc. – all firing log data and raising alerts on a security information and event management (SIEM) or security orchestration, automation, and response (SOAR) system? Two things:
1. Burnout. More than 7 in 10 security analysts experience burnout.
2. Missed alerts and threats. Over a third of analysts ignore alerts due to capacity issues.
This happens because the modern threat detection and alert process leaves security analysts with endless data streams but almost no context—a dangerous mix.
Learn more: About the security data problem
Analysts are looking at their estate through an increasingly small viewfinder without anything natively joining different sources of information. No wonder over 70% of ransomware incidents last year were discovered externally, i.e., the threats were never detected by internal security teams.
Defenders need to see more to do better, and threat detection and response must be a cohesive series of alerts and actions. Solutions must combine multiple data sources into contextual cases, give security teams a clear map of attack chains and help them coordinate the next steps. Unified data from endpoints and other sources is the crucial ingredient here.
SenseOn’s security automation platform improves threat detection through unified data collection and analysis. SenseOn conducts deep packet inspection of network traffic on endpoints with a single agent, linking network interactions with processes and identity and giving SOCs incredible context into threat behaviour and removing blind spots.
This unified data is also combined with other analyses, including behavouir analytics, to power a MITRE ATT&CK detection engine that maps threat behaviour to known techniques in real time.
The result is reduced analyst workload, faster incident response and remediation, and improved security posture.
Try a demo today to learn more about SenseOn’s threat detection technology.