How Threat Detection is Evolving
As adversaries have shifted the focus of attacks to achieve their goals, defenders must evolve their approach to threat detection
The threat landscape is dynamic and ever changing. Adversaries are evolving their approaches and targets. Mark Harris from Gartner has said it the best in, my opinion: Adversaries have shifted the focus of attacks to achieve their goals – from focusing on infecting files to infecting systems, and now infecting entire enterprises. As defenders we have to evolve our approach to detection accordingly. From tracking files and hashes and relying on signatures to block early threats, to tracking additional indicators to protect against more sophisticated attacks. Now, adversaries are infiltrating organizations and moving laterally to accomplish their mission. Be it to conduct reconnaissance surreptitiously and launch attacks later, simultaneously lockdown endpoints and servers for ransom, use one enterprise as an entry point into another, overwhelm systems to disrupt services for legitimate users, hijack computing resources to conduct nefarious activity…the list goes on and on.
So, we must continue to evolve our approach to detection. It is no longer just about finding the one control point or system where the attack is being triggered. Multiple points across the enterprise are involved so you need to be able to connect the dots. Detection now requires a breadth and depth of information from disparate systems and sources, with data and actions brought into a single view, so you can gain a comprehensive understanding of the threat you are facing and know what you must defend.
Extended Detection and Response (XDR) is generating a great deal of interest right now as a way to enable detection and response across the enterprise. If we focus on the extended detection aspect of XDR, the goal is to combine data from disparate sources, both internal and external, and connect atomic events from individual systems into a single incident. As Frost & Sullivan points out, “Since organizations typically follow a best-of-breed strategy, integrations are truly imperative to fulfilling the XDR vision.” All systems and sources must be able to work together. Pulling the right data from the right tools allows you to validate the detection and, ultimately, respond effectively.
Sounds straightforward, but it’s actually a seismic shift in detection capabilities. On their own, events from all internal data sources, including your SIEM system, log management repository, case management system and security infrastructure – on premise and in the cloud, appear to be independent. But if you can aggregate this data and then augment and enrich it automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry and existing security vendors – you start to see the bigger picture. When all this data is correlated and presented on a single screen, you can identify relationships and detect malicious activity across the enterprise. Seemingly isolated events from different security systems come together and are revealed to be part of a single incident attacking your organization.
This breadth of detection across the enterprise naturally drives a need for even deeper understanding and triggers further investigation. So, our modern definition of detection must also include the ability, within that shared view, to contextualize correlated data with internal enrichment sources, such as identity of the impacted user. For instance, if targets include the finance department, human resources or the C-suite, this could indicate a more serious threat. External enrichment sources, such as frameworks like MITRE ATT&CK and third-party tools for DNS lookup and URL and malware analysis show you if data points from events share common indicators. Now you can begin to see the forest for the trees. You can understand if your organization is facing a larger scale campaign and any additional indicators, tactics and techniques to look for.
Evolving our definition of detection to encompass greater breadth and depth of understanding through internal and external data aggregation, correlation and investigation, delivers the information we need to execute faster with confidence. Which, in turn, impacts our definition of response. But that’s a topic for another article.
Related: XDR is a Destination, Not a Solution