Threat detection and response is hard and getting harder. According to ESG research, 76% of cybersecurity professionals claim that threat detection and response is more difficult today than it was two years ago, so this situation may only get worse in the future.
Why are threat detection and response processes and actions so challenging? One of the primary reasons is that many organizations approach threat detection and response through a maze of disconnected point tools. In fact, ESG research indicates that 66% of organizations agree that threat detection/response effectiveness is limited because it is based upon multiple independent point tools.
Think about the ramifications here: Each of these tools must be deployed, configured, and operated daily. Furthermore, each tool provides its own myopic alerting and reporting. Security analysts are then called upon to stitch together a complete threat management picture across endpoint security tools, network security tools, threat intelligence, etc. This is a manual process slog that doesn’t scale. Little wonder then why malware is often present on a network for hundreds of days before being discovered.
CISOs recognize this problem and are doing something about it. In fact, 66% of organizations are actively consolidating security vendors and products.
What does this mean for threat detection and response? The research indicates that enterprise organizations want a tightly integrated threat detection and response technology architecture composed of five key security tools:
- Endpoint detection and response (EDR). This technology monitors granular endpoint behavior (i.e., endpoint processes, DLLs, registry settings, file activity, network activity, etc.). It can maintain a record of these behaviors for investigators, or leverage analytics to identify and alert on anomalies.
- Network Traffic Analysis (NTA). Similarly, NTA monitors network traffic, looking for anomalous, suspicious, and malicious activity. NTA has a long history in security analytics and investigations and it is still a SOC staple – 43% of cybersecurity professionals surveyed say that NTA is used as the first line of defense for threat detection. It is also worth noting that open source projects like Bro/Zeek often play a role here.
- Malware sandboxes. Suspicious files are sent to malware sandboxes for detonation and analysis. Malware sandboxing technology is deployed as an appliance, as a cloud-based service, or in some type of hybrid configuration.
- Cyber threat intelligence (CTI). Organizations need timely and detailed CTI to compare internal security incidents with indicators of compromise (IoCs) and cyber adversary tactics, techniques, and procedures (TTPs). In this way, security analysts can get an “outside-in” perspective for investigations. Many threat detection/response technologies are also embracing the MITRE ATT&CK framework for similar purposes.
- Central analytics and management. Rather than a multitude of alerts from disparate point tools, all security telemetry is centralized and analyzed in its totality. In this way, threat detection events can be correlated across endpoints, networks, files, etc. to achieve more accurate and efficient levels of fidelity. Central management comes into play for policy management, configuration management, change management, etc., streamlining security operations. Many threat detection/response technology architectures will also include some type of security operations workbench for case management, ticketing, automation/orchestration, etc.
It’s clear that these 5 technologies are coming together to interoperate in a systematic way. In my humble opinion, this will be driven by:
- Threat detection and response platforms. Many vendors (i.e., Check Point, Cisco, Fidelis, FireEye, Fortinet, McAfee, Palo Alto Networks, Symantec, Trend Micro, etc.) can provide an integrated architecture of some or all of the 5 technologies. ESG research indicates that 62% of organizations would be willing to buy most of their cybersecurity technology (and services) from a single enterprise-class vendor so an end-to-end platform may be the right solution at the right time.
- API integration. Since ‘best-of-breed’ is built into the cybersecurity culture, some organizations will continue to buy different tools from different vendors and then glue them all together through APIs. This process is a bit more complex than a one-stop shop, but it is getting easier in an API-driven world.
- Security analytics integration. Another way to view threat detection and response is to assume that security controls (i.e., endpoint security, network security, cloud workload security, gateways, etc.) are simply sensors and actuators. In other words, they provide telemetry to some type of cybersecurity analytics brain like a SIEM, and then receive instructions on what actions to take based upon real-time analytics. In this model, the center of gravity shifts to the back-end to things like IBM QRadar, Splunk, Chronicle Security Backstory, Microsoft Azure Sentinel, etc. The OpenC2 standard may accelerate this trend.
The fourth option is some combination of the three options listed above – perhaps with an element of managed services mixed in as well. Yes, this is all a bit confusing and possibly daunting, but these five threat detection and response technologies will be tightly coupled sooner rather than later, one way or another.