Beyond Traditional Threat Detection | TechRadar

There is a growing gap between the sophistication of cyber attacks and the traditional methods many organizations use to detect and neutralize these threats. The industry is at a critical juncture, requiring a shift from outdated paradigms to innovative approaches that can effectively combat evolving threats. The opportunity lies in recognizing and addressing this gap in thinking.

Industry’s struggle with detection

Currently, organizations are predominantly focused on three main threat detection strategies: firewallsusing endpoint detection and response (EDR) systems and deterministic decision-making tools. Firewalls and EDR are designed to identify and block malicious software based on known signatures and attack patterns. On the other hand, deterministic tools aim to distinguish harmful actions from harmless ones by analyzing data and making binary decisions about what constitutes a threat.

However, this traditional approach is increasingly inadequate in the face of sophisticated tactics such as “living off the land” (LotL) attacks. LotL attacks are particularly sophisticated because they leverage legitimate tools and processes in the target’s environment to carry out malicious actions, thereby bypassing traditional detection mechanisms. No malware for flagging, no signatures used for detection, and no obvious indicators of compromise that could be detected by traditional tools. Here’s the crux of the problem: Existing tools are unable to deal with such subtle and hidden threats.

Matt Ellison

Technical Director EMEA at Corelight.

Industry Thinking Gap

A major gap in the industry’s approach to cybersecurity is the reliance on deterministic tools, which are inherently limited in combating advanced advanced persistent threats (APTs) and LotL techniques. Companies often believe that their current arsenal cybersecurity There are enough tools, without realizing that these tools are not designed to counter the subtle and sophisticated techniques used by modern attackers.

One significant omission is the lack of temporal awareness when detecting threats. Companies tend to think in terms of threat detection based on current activity (using TTPs – tools, techniques and procedures), but do not take into account the historical context of the attack. This shortsightedness is problematic because sophisticated attackers can stay online for long periods of time, waiting for the right moment to strike. Without the ability to look back in time and analyze past actions, organizations may mistakenly identify long-term intrusions that have already penetrated their systems.

Using a new approach

To bridge this gap, the new way forward involves three key changes in thinking:

1. Adopting retrospective analysis: Organizations must implement solutions that enable retrospective analysis, allowing them to look back in time and examine past activities for signs of undetected intrusion. This approach requires storing and analyzing historical data, huge volumes of data that can reveal patterns and anomalies that are not apparent in real-time analysis.

2. Use behavioral analytics: Instead of relying solely on deterministic tools, companies should use behavioral analytics that can detect deviations from normal behavior. This includes creating baseline profiles of typical activities and identifying anomalies that may indicate a security breach. Behavioral analytics, such as a camera with IP address that is, file exfiltration, are particularly effective in detecting LotL attacks where traditional signature-based detection fails.

3. Learn from elite defenders: The practice of elite advocates such as leading financial institutions and government agencies provides valuable insight. These organizations do not rely only on traditional methods, but use advanced threat hunting techniques and continuous monitoring to stay ahead of attackers. Companies should take note of these progressive approaches and integrate them into their own cybersecurity strategies.

Moving Forward

In conversations with clients, the “aha” moment often comes when they realize the limitations of their current tools and understand the importance of historical data for detecting advanced threats. By illustrating real-life examples, such as long wait times for attackers in high-profile breaches, cybersecurity professionals can highlight the need to take a more comprehensive and proactive approach.

Ultimately, bridging the cybersecurity gap requires recognizing that traditional tools and techniques are no longer sufficient. Using hindsight, behavioral analytics, and learning from elite defenders, organizations will be able to detect and neutralize even the most sophisticated threats. By closing this gap in thinking, companies can improve their security and better protect their critical assets in an increasingly complex threat environment.

We’ve introduced the best identity management software.

This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s tech industry. The views expressed here are those of the author and do not necessarily reflect those of TechRadarPro or Future plc. If you are interested in participating, find out more here: