June 17, 2019 / by Cheryl Dsa / In siem /

What You Need to Know About Threat Detection and Response

With cyberattacks constantly making headlines, it seems like every day brings fresh news of a massive corporate security breach: an email service compromised here, a server hacked there, millions of customer records and private data leaked to the “darknet.” The sophistication of the attack on a Marriott International guest reservation database, announced last November, is a clear indication that any organization handling sensitive, personal data — virtually every enterprise today — can expect to be compromised at some point.

The good old days

In the “good old days” of IT security, simply keeping tabs on the movement of employees and guests, securing logins and tracking assets was considered a high level of security. While these methods are still important components of corporate IT security today, modern tools and methods back this up with measures like firewalls and encryption to keep attackers at bay.

Here and now: modern, high-risk threats

Vulnerabilities and exploits for them are appearing at an alarming rate these days. Many off-the-shelf security tools and platforms are available from various vendors, but merely installing a few of these tools doesn’t provide adequate protection against modern cyberattacks.

Recent incidents have undoubtedly exposed shortcomings in current cybersecurity solutions, especially in the context of detection. Cyberattacks targeting such large companies as Marriott, British Airways and Dixons Carphone have shone a spotlight on the prevalence of ineffective threat detection practices. These security breaches should be a wake-up call for all organizations to start taking a more holistic approach to network protection. Every security team should be asking itself whether its security procedures can detect and neutralize a breach as soon as it happens. This is where threat detection and response (TDR) comes into the picture.

Threat detection and response to the rescue

Simply put, TDR is a type of sophisticated system for automating and monitoring the detection of suspicious activity and threats within an ongoing flow of data, and implementing immediate countermeasures against any suspicious or threatening activity detected. Unlike, say, firewalls and antivirus systems, a TDR system is not preprogrammed to recognize and respond to known agents and threats on its own.

The goal of TDR is to find anomalies, analyze their threat levels, and determine what countermeasures are required, if any. The demand for threat detection and response solutions is growing as the volume of data produced within organizations increases.

What you need to know about TDR

A TDR solution uses software installed on discrete endpoints within your systems and networks. The software captures data that is then fed into a centralized management platform. The management platform monitors the shape and nature of the data that it receives to build an overall picture of activity on your systems. Over time, the volume of data available to the platform increases, making its analyses more accurate.

The biggest gains from TDR platforms come from their ability to paint a sophisticated picture of an environment using big data analysis, as well as a deeper understanding of the typical activities found on your systems. Using a TDR platform, you can accelerate security team responses and develop a policy for further hardening your enterprise against attacks. The insights you gain from the data captured and reported by a TDR platform help your security team to develop the skills they need to deal with threats effectively.