Alessandra Peters

04/08/2022

The Ultimate Guide to Threat Detection and Response Tools

According to the FBI, last year was the worst year on record for internet crime in the US, and across the pond, in the UK, businesses saw a 20% increase in cybersecurity threats. Looking forward, the threat landscape doesn’t look much better. Even as organisations secure some of the most obvious vulnerabilities that emerged since employees started working from home, maintaining cybersecurity is likely to remain a struggle. Unfortunately, this also means that network breaches are inevitable. As a result, threat detection, which refers to an organisation’s ability to accurately and quickly identify threats to the corporate network, will become an even more critical part of any security arsenal. 

In 2020, improving threat detection and response was the main concern for IT and cybersecurity professionals based in North America. At the same time, a survey from a few years ago shows that threat detection and response is becoming more difficult. The fact is that organisations are using too many independent tools that don’t talk to each other, overburdening their IT staff with alerts — many of them false positives — and making prioritising genuine threats ahead of false alarms almost impossible.

The solution is to opt for threat detection and response tools that will improve an organisation’s security without straining its IT resources. However, the question remains: which tools are these? 

Endpoint Detection and Response (EDR)

Research by the Ponemon Institute shows that a large majority of organisations are likely to have experienced an endpoint attack in the last twelve months. Attempting to stem this threat, endpoint detection and response (EDR) tools monitor, detect, and investigate abnormal behaviour that indicates malicious activity on endpoints, whether they are laptops, desktops, mobile devices, servers, or virtual machines. 

Exact EDR capabilities can vary from one vendor to the next. However, most EDR solutions function by aggregating data from endpoints, such as logs, running processes, and file details to find any irregularities. 

Although a cut above traditional AV solutions, it is critical to note that as a standalone solution, EDR focuses only on endpoints, excluding other parts of the corporate IT environment, such as the cloud and network, and ultimately provides security teams with a restricted point of view. 

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

Both intrusion detection systems (IDS) and intrusion prevention systems (IPS) monitor a network for patterns associated with cyberattacks. However, whereas IDS are passive (i.e., they alert you when something suspicious happens but do not go beyond that), IPS, which exist between the external network (such as the internet) and internal network, are active (i.e., they reject traffic flagged as malicious until security teams investigate it).

While useful, both systems have their disadvantages. An IDS, for example, needs another system or human analyst to make sense of all the alerts (many of which may be false positives) and decide what to do next. On the other hand, an IPS is known for false alerts. If it unnecessarily shuts down traffic, this can disrupt operations significantly. Other disadvantages of IDS and IPS include their inability to decrypt encrypted traffic and detect IP spoofing. IDS and IPS also rely on a signature library that needs to be constantly updated to catch the latest threats. 

Network Detection and Response (NDR)

Rather than just focusing on endpoints, network detection and response, or NDR for short, observes and analyses the traffic passing through a corporate network. Unlike IDS/IPS solutions, NDR products use machine learning to detect never-before-seen threats as well as “low and slow” cyberattacks that signature-based systems often miss.

Previously known as “network traffic analysis” (NTA), the solution category was redefined by Gartner in 2020 to include response capabilities, regardless of whether these are automatic (such as sending commands to a corporate firewall) or manual (like threat hunting and incident response). 

However, even though NDR works well within onsite corporate networks, the persistence of flexible working arrangements across the economy reduces the effectiveness of this kind of solution. Not every modern enterprise environment may have a physical firewall in place, and not all remote workers may generate traffic within a corporate network, factors that can significantly limit IT teams’ ability to see what’s happening.

Security Information and Event Management (SIEM)

Security information and event management (SIEM) solutions give IT teams real-time visibility into their organisations’ information security systems. 

These tools work by collating vast amounts of data from an organisation’s technology infrastructure, including host systems and applications and network and security devices, which they then analyse for any anomalies or potential cyberattacks. SIEM tools provide reports on things like malware activity and successful and failed logins and send alerts if there is any indication of a security issue. 

Unfortunately, SIEM solutions are very expensive. They also fall short when it comes to providing contextual information about native events. So, an IT professional may see increased network activity from an IP address but be left in the dark about which user created that activity. 

Another disadvantage is that SIEM applications are notorious for generating too many alerts. As a result, cybersecurity teams are often left on their own when it comes to figuring out which alerts are real threats and which ones can be ignored. Although IT professionals can reduce the number of alerts surfaced with rules, these tend to vary in quality and are typically based on simplistic logic that can’t isolate and analyse genuine attacks. Further complicating matters is the fact that most rules are designed to observe attacks immediately, in real-time, whereas many attacks are carried out over a prolonged period of time. 

User and Entity Behaviour Analytics (UEBA)

Seen as an extension of SIEM, user and entity behaviour analytics (UEBA) is a cybersecurity process that gathers insight into the normal conduct of users, machines, and other entities within an organisation. By analysing these insights, UEBA can discover deviations from established patterns. Because UEBA doesn’t rely on rules, it can learn to detect suspicious behaviour over time. 

However, because people sometimes do atypical things for legitimate reasons, UEBA may generate alerts that don’t actually indicate a real security problem. Also, while UEBA is a great tool for identifying a range of cyberattacks, such as insider threats, brute force attacks, and data breaches, it will not automatically stop intruders. 

Security Orchestration, Automation, and Response (SOAR)

Whereas SIEM and UEBA systems merely identify and flag potential threats, security orchestration, automation, and response (SOAR) is a category of tools that integrates existing tech to prioritise incidents and take automatic action against malicious activity. This, in theory, automates some parts of an analyst’s job. 

However, like SIEMs, SOAR systems also create too many alerts, which can often lead overwhelmed security teams to turn down the volume of alerts they receive. This can hurt an organisation’s ability to defend against actual attacks. SOAR tools are also expensive. In particular, if the systems across an organisation keep changing, maintenance costs can be especially high. Because the main benefit of SOAR is to integrate and orchestrate other technologies, technologies that, for one reason or another, can’t be connected will hold your organisation back. 

Extended detection and response (XDR)

The newest trend in cybersecurity, extended detection and response (XDR) is a cybersecurity technology that claims to integrate multiple siloed security tools, like EDR, NDR, and SIEM, into one cohesive platform. In doing so, XDR supposedly improves visibility across an organisation’s endpoints, network, and cloud workloads and reduces complexity. At the moment, XDR typically falls into one of two categories: proprietary or native XDR, which is made up of a single vendor’s products, and open or hybrid XDR, which synthesises alerts from various different security solutions. 

Although sound in theory, the premise of XDR falls short in reality, not least because the cybersecurity community can’t seem to agree on what XDR really is. For example, does the “X” in XDR stand for “extended” (i.e., aggregating security events from multiple sources, including endpoints and network, rather than just looking at the endpoint), anything/everything (i..e, spanning the entire attack surface), or “cross-layered“/”cross-product”/”cross-controls” (i.e., data comes from multiple security layers/products/controls/)? 

Because XDR is such a new concept, it also lacks a standard offering. As a result, when it comes to native XDR, the tools included typically depend on the products a company already has in its catalogue rather than best-of-breed solutions. 

Of course, a company may develop or acquire additional products later, but doing so risks introducing disparate tools that were not built from inception to connect the telemetry they collect. The same is true for open XDR. Ultimately, for open XDR to work, all vendors would have to adhere to industry standards like OASIS’ Open Cybersecurity Alliance (OCA) which allows standalone security products to share information with one another — and we’re not there yet. To connect all the different security tools that supposedly fall under XDR, teams still need to deploy a SIEM or SOAR platform. 

SenseOn Wraps It All Together

The fundamental issue with each of the tools outlined above is that none of them works well enough in isolation. While many organisations have tried to overcome this problem by using some or all of these solutions simultaneously, the end result is usually inflated budgets, increased complexity, and fatigued security teams — all of which add up to lapses in real-world security.

Providing a holistic solution for teams, SenseOn solves this problem. Able to detect threats across the corporate network and endpoints, SenseOn does away with the need for multiple security tools, giving IT teams unparalleled visibility across their entire digital estates via a single dashboard. Critically, with SenseOn, teams don’t have to worry about being bombarded with hundreds of alerts. SenseOn’s unique threat triangulation technology cuts down on the threat alerts that IT teams have to deal with, thus reducing operational strain and freeing up time to focus on proactive security. 

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.