Beyond traditional threat detection | TechRadar

There is a growing gap between the sophistication of cyber attacks and the traditional methods used by many organizations to detect and neutralize these threats. The industry is at a critical juncture, requiring a shift from outdated paradigms to innovative approaches that can effectively combat evolving threats. The opportunity lies in recognizing and addressing this gap in thinking.

The industry’s struggle with detection

Currently, organizations are primarily focused on three main strategies for threat detection: deployment Firewallsusing EDR (Endpoint Detection and Response) systems and using deterministic decision tools. Firewalls and EDRs are designed to identify and block malicious software based on known signatures and attack patterns. Deterministic tools, on the other hand, aim to differentiate malicious from benign activities by analyzing data and making binary decisions about what constitutes a threat.

However, this traditional approach is proving increasingly inadequate in the face of sophisticated tactics such as living off the land (LotL) attacks. LotL attacks are particularly challenging because they use legitimate tools and processes in a target’s environment to perform malicious activities, thus avoiding traditional detection mechanisms. It doesn’t exist malware to flag, no signatures are used to detect and no obvious indicators of compromise for traditional capture tools. Herein lies the crux of the problem: existing tools are not equipped to deal with such nuanced and hidden threats.

Matt Ellison

EMEA Technical Director of Corelight.

The gap in industry thinking

The main gap in the industry’s approach to cyber is the reliance on deterministic tools that are inherently limited in addressing advanced persistent threats (APT) and LotL techniques. Companies often believe that their current arsenal of cyber security tools is enough, failing to realize that these tools were not designed to counter the subtle and sophisticated methods used by modern attackers.

A significant oversight is the lack of temporal awareness in threat detection. Companies tend to think in terms of threat detection based on current activities (using TTPs – tools, techniques and procedures) but fail to consider the historical context of an attack. This myopia is problematic because sophisticated attackers can inhabit a network for long periods of time, waiting for the right moment to strike. Without the ability to look back in time and analyze past activities, organizations may misidentify long-term intrusions that have already infiltrated their systems.

Embracing a new approach

To close this gap, a new way forward involves three key changes in thinking:

1. Adoption of retrospective analysis: Organizations need to incorporate solutions that enable hindsight, allowing them to look back in time and investigate past activities for signs of an undetected intrusion. This approach requires the retention and analysis of historical data, huge amounts of data, which can reveal patterns and anomalies not apparent in real-time analysis.

2. Use of behavioral analysis: Instead of relying solely on deterministic tools, companies should adopt behavioral analytics that can detect deviations from normal behavior. This involves creating basic profiles of typical activities and identifying outliers that could indicate a security breach. Behavioral analytics, such as, for example, a room with a IP address i.e. file exfiltration, are particularly effective in identifying LotL attacks where traditional signature-based detection fails.

3. Learning from elite defenders: The practices of elite defenders, such as leading financial institutions and government agencies, provide valuable insights. These organizations don’t just rely on traditional methods, but use advanced threat hunting techniques and continuous monitoring to stay ahead of attackers. Companies should take note of these progressive approaches and integrate them into their own cybersecurity strategies.

Moving forward

In conversations with customers, the “aha” moment often comes when they realize the limitations of their current tools and understand the importance of historical data in detecting sophisticated threats. By illustrating real-world examples, such as the long wait times for attackers in major breaches, cybersecurity professionals can emphasize the need for a more comprehensive and proactive approach.

Finally, closing the cybersecurity gap requires recognizing that traditional tools and methods are no longer sufficient. Embracing hindsight, behavioral analysis and learning from elite defenders will equip organizations to detect and neutralize even the most sophisticated threats. By closing this thinking gap, companies can improve their security posture and better protect their critical assets in an increasingly complex threat landscape.

We’ve featured the best identity management software.

This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the tech industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you’re interested in contributing, learn more here: