read
October 16, 2020

The Problem with Traditional Approaches to Threat Detection and Response

Let’s face it: The current, standard approach to threat detection and response just isn’t cutting it. But now, a choice of two different cybersecurity solutions can overcome inherent challenges in most threat detection and response efforts in a way to reduce costs, achieve compliance, and improve your overall cybersecurity posture.

 

We wrote about the topic of threat hunting in the past — specifically, the idea that threat detection simply doesn’t work and unfortunately, the whole industry still isn’t acknowledging this limitation

Yet since this challenge has only gotten worse, we thought we’d take another look at what goes wrong with traditional approaches to threat detection and response.

 

Threat detection and response challenges

Threat detection and response is one of the most important aspects of cybersecurity, yet too many companies still face too many obstacles to using this approach successfully. For proof, consider the following threat detection and response challenges. 

 

Too many tools lead to too much “noise”

By some accounts the average enterprise now has more than 75 different security threat detection tools in their overall cybersecurity stack. This proliferation has led to an end result that is hard to manage, but even worse, now leads to more alerts than any InfoSec team can reasonably manage. A recent article from Dark Reading found that SOC teams now receive more than 10,000 alerts each day from their threat detection and monitoring solutions.

There is only so much manpower and hours available in a day — a fact made worse by SOC teams may be forced to work remotely — so it becomes impossible for SOC teams to investigate each and every alert. While these teams want to do the right thing, real threats are inevitably missed , which has been proven to be the cause of devastating cyber-breaches, such as the high-profile Target example.

 

Lack of Internal Network Visibility 

As per standard best practices, too many companies spend too much time focusing on detecting and preventing attacks at the perimeter. In doing so, they actually miss monitoring the majority of their network traffic: research has shown that while such a perimeter focus may work for the 20% of north-south traffic coming and going, most companies don’t do enough to monitor the up to 80% of east-west traffic on internal networks.

Even if you have an extremely effective firewall, you may still be susceptible to network-borne types of cyber attacks that do real damage with a “land and expand” strategy doing damage as they move laterally through the network, such as phishing, ransomware, or malware. Finally, putting too much emphasis on perimeter security may take away from your ability to detect an attack once your perimeter has been breached and your organization is at risk.

 

Costly, complex, and resource-demanding cybersecurity stacks

Most companies today have extremely complex infrastructure that are made up of applications, systems, and networks in environments consisting of on-premises data centers, public and private clouds. All of this had led to a complicated cybersecurity stack of different tools — as noted above, as many as 75 separate tools. While each is valuable in its own way, they lack the ability to protect the entire threat surface and the centralized orchestration capabilities to provide the complete security the business requires.

Not surprisingly, these IT security tools are extremely time-consuming, challenging, and expensive to manage, especially as the entire organization scales. It can take hours (or even longer) for skilled security staff to properly configure and then monitor the various threat detection and response tools. Even then, such a disparate, siloed approach can lead to too much noise, confusion, and even conflicting security information.

 

Compliance issues

Finally, data privacy regulations have grown in number and gotten stricter as governments and other institutions seek to protect constituents and consumers from data loss and other issues. In today’s environment, it can take organizations often days, weeks, even months (if at all) to identify and understand the full impact of a cyber-attack or data breach. 

Unfortunately, you can’t afford this much time since many regulations require much shorter time frames to report a data breach. For example, to comply with GDPR, you must report a breach within 72 hours.

 

A threat detection and response solution that actually works

ARIA Cybersecurity Solutions has taken a different path when developing our threat detection and response solutions. Unlike other providers, we start inside the network to generate complete enterprise-wide traffic visibility into all traffic, including east-west flows. 

This helps our solutions assist in two important ways: deploy full AI-driven SOC capabilities within a single platform and improve the performance of your existing security stack.

For example, The ARIA Advanced Detection and Response (ADR) solution is a single platform approach for enterprise-wide automated threat detection, containment, and remediation. This “SOC-in-a-box” gives organizations all the benefits and capabilities found in a traditional SOC, in addition to automation and AI and ML capabilities, at a fraction of the cost - about 90% less in fact.

Where other security solutions provide limited, or no threat surface coverage, (remember only about 20% of network traffic coverage) ARIA ADR provides complete visibility into all parts of an organization’s network. This increased network visibility is critical to find the most harmful threats faster and earlier in the attack lifecycle before significant damage can be done.

Additionally, the ARIA Packet Intelligence (PI) application is integrated with the ARIA ADR solution, yet it can also run independently to improve the performance and effectiveness of existing security tools like SIEMs, IDSs/IPSs, UEBAs or SOARs. The application deploys transparently in the network and monitors all network traffic, including often unseen IoT devices. As part of this process, it classifies and generates NetFlow metadata for all packets. 

Organizations gain five critical advantages with the ARIA Cybersecurity solutions: 

  • Gain complete visibility into every corner of your network, where other solutions are limited or completely blind.
  • Use enterprise-wide analytics, including the industry’s most comprehensive analytics generated from alerts, logs, threat intelligence, and our own ARIA PI application.
  • Take advantage of smart threat modeling: that uses AI to feed threat analysis through ML-based predefined models that understand how each threat behaves.
  • Contain validated threats automatically and surgically before they can spread to other devices and disrupt the business.
  • Automate auditable enforcement policies, assuring regulatory compliance and enforcing connectivity policies – preventing future violations.


Interested in learning more? Check out our ARIA ADR resource center, where we offer many valuable resources related to simplifying your cybersecurity stack and gaining a fast, powerful ROI with the right solution.

Tags: cyber attack, cybersecurity, intrusion response, intrusion detection