The threat detection process has never been a simple one, and it’s only becoming more complex. In fact, businesses experienced 50% more cyberattacks per week in 2021 than the year before.
The reasoning is an all too familiar story: threats are changing at a breakneck pace, security analysts are overwhelmed with hundreds of new incidents every day, and the use of multiple security tools makes correlating data a time-consuming, if not impossible, challenge.
How can organizations move forward? For CISOs and security leaders, the key will be implementing advanced threat detection techniques that can address unknown threats, reduce alert fatigue, and consolidate security tools.
It sounds like a tall order, but it is possible to automate, accelerate, and improve the process of finding and prioritizing threats. But it requires a blend of threat detection and response techniques to accomplish it.
Threat Detection Limits of MDR/XDR
Some of the most common threat detection processes are implemented via a Managed Detection and Response (MDR) service or an eXtended Detection and Response (XDR) solution. These approaches are designed to assist security teams with threat detection and response, but they face a number of restrictions that limit the strength of their threat detection and response techniques.
- Narrow Data Sources: MDR services and XDR solutions can be blind to some critical threat vectors because they often rely on a relatively narrow set of data sources.
Vendor Lock-In: MDR providers and XDR solutions can eliminate your freedom to choose a preferred vendor as many require vendor-specific security products.
- Lack of Key Security Features: They don’t offer a co-managed SIEM, or may lack other key features that you require.
In order to bypass the challenges of a traditional MDR or XDR solution, organizations are looking for a much more thorough and comprehensive approach to threat detection and response. One answer to the challenges and limitations many find in the threat detection process is SOC-as-a-Service, which includes a co-managed, next-gen SIEM platform.
Mixing and Matching: Advancing the Threat Detection Process
Most security information and event management (SIEMs) platforms use one, sometimes two or three, techniques within their threat detection process. Typically, these are basic correlations or simple signatures that can identify unusual spikes in activity or known attacks, such as malware, ransomware, and phishing threats.
Threat Detection and Response Techniques
Though important components of threat detection, these methods, on their own, are prone to false positives and are not comprehensive enough to detect advanced or unknown forms of attack. Further, if you have the output of each of those techniques and tools going directly to a human analyst without filtering, real threats get lost in the noise while innocent activity gets the attention.
The best results can be achieved by pulling together a number of techniques to find specific patterns of threats. There are five main techniques that can be combined based on the use case to improve threat detection and response.
In this context, cyber intelligence is used to compare known activities in an environment — for example, firewall logs or new files being generated on a computer — to known sources of bad activity. It is a blacklisting technique, with information sourced from research organizations, sandbox analysis, known phishing sites, and other libraries of known bad activity. Cyber intelligence is most effectively used when each of these objects can be correlated and viewed in context with other rules. What was once a bad IP address, for example, may no longer be, as IPs rotate very quickly in and out of usage. With cyber intel alone, this could be flagged for review when, in fact, there is nothing suspicious to see.
Signature-Based Threat Detection Techniques
Signature-based detection techniques match all or some attributes of an object to a known bad object. It is a common and simple method for identifying a known bad that was not blocked and elevating it to a detection in need of immediate review. Signature-based methods are most commonly associated with finding malware and ransomware, but also can be used to identify suspicious network activity, such as a user downloading large volumes of data to a USB.
Behavior-Based Threat Detection Techniques
Behavior-based detection techniques match some type of digital pattern, footprint, human activity, or network behavior to known bad behavior. Behavioral techniques are commonly linked to detecting insider threats. If a user normally accesses 10-20 CRM records per day and one day accesses 1,000 records, that anomalous behavior should be investigated. It could be nefarious, or it could be related to a unique event happening at the organization. It’s an interesting piece of information that when matched with other detection techniques can be flagged as suspicious or recognized as acceptable activity.
Statistics-Based Threat Detection Techniques
Statistics-based detection techniques use clustering, grouping, stack counting, baseline and variation, outlier detection, logistic regression, and other methods to detect anomalous activity. This technique is often used to detect brute force attempts. One successful login out of 100 failed attempts is likely a machine program going through and guessing someone’s password, not an individual who simply forgot.
Algorithm-Based Threat Detection Techniques
Algorithm-based detection uses machine learning techniques, such as supervised or unsupervised learning or deep learning, to detect malicious or anomalous activity and predict attacks. It would be impossible to keep a list of every possible type of attack. Algorithms look for the fingerprints of what appears to be a suspicious process path being executed on a machine. Algorithms are trained to sort through data and understand the possibilities of that information, allowing for prediction of new attacks and determining what normal activity looks like to identify anomalies.
Threat Detection Techniques in Action
The above techniques can be used in combination, depending on the use case. Detecting an insider threat will use a different combination of techniques than what would be used to detect a phishing attack, malware, or server, network, and cloud threats.
Threat Detection Process Example
The key is to combine the techniques in a flexible way to improve the quality and confidence of detections.
The key is to be able to combine the techniques in a flexible way to improve the quality and confidence of detections. For example, the following pattern would be flagged using a blend of techniques:
+ suspicious email received
+ suspicious PDF attachment opened
+ process created
+ communication port opened
The sequence shows that something is going on that probably warrants closer investigation.
Combining user and entity behavior analytics (UEBA) to look at patterns of human behavior, and then applying algorithms and statistical analysis to detect meaningful anomalies from those patterns, would indicate that a phishing attack leading to a potential malware infection is underway.
Analyzing user and behavior analytics establishes a baseline for what “normal” authorized activity looks like, and uses that baseline to flag alterations from that behavior. For example, by examining what kinds of data a user would typically access, what times they commonly log on and from what locations, the threat detection process becomes much easier. If your system identifies an attempted access at 1:00 am from Tokyo by a user that generally works from 9:00 am - 5:00 pm and does not travel for business, this activity can be flagged as a potential threat.
Automating the Threat Detection Process
Addressing the overload of data within a security operations center (SOC) requires a data pipeline that can be used to isolate the threats that need to be investigated further, quickly and consistently. This is the entire premise behind Cysiv’s two-stage threat detection engine, which leverages multiple techniques to accelerate and automate the process of identifying potential threats that truly warrant human investigation.
One of the most important elements of Cysiv’s automated threat detection process and analysis is its ability to utilize a broad range of relevant data sources within your organization. Security logs are an important input to the threat detection process. But alone, they’re not enough. Important signals of an attack might be picked up in an application, in enterprise infrastructure, or from cloud infrastructure. And valuable context can be derived from other related data sources.
That’s why Cysiv SOC-as-a-Service ingests, leverages, and automates cloud-scale storage for a broad range of telemetry and other data sources that you’ve already invested in. This improves the quality of, and confidence in, the threats detected, and dramatically shortens the dwell time and mean time to detect (MTTD) threats, and investigate and respond to them.
The Cysiv Answer for Threat Detection and Response
The Cysiv platform has a unique indicator-detection engine that leverages these five detection techniques. The engine automatically prioritizes security incidents based on the highest severity detections, focusing attention on the investigation of the most critical detections first, thus streamlining the analyst workload.
The two-stage engine first aggregates logs into indicators to identify suspicious activity. An indicator, by itself, is not normally enough to raise an alert or require a response, but it can contribute to a detection. This drastically reduces false positives. The second step is converting indicators to detections. The engine is trigger-based, operating in real time to alert analysts immediately of a suspicious sequence of activity. In both stages, the platform uses a blend of detection techniques depending on the situation. The approach makes all the difference in ensuring that information is timely and relevant, while also being able to batch process tens of millions of logs an hour.
Download the whitepaper: Better Detection and Faster Response of True Threats
Cysiv SOC-as-a-Service doesn’t stop at threat detection, but will successfully identify and mitigate risks through a series of threat detection and response steps:
Detect: Use an advanced, multi-stage threat detection engine and a blend of techniques to weed out false positives and identify true threats—the ones that warrant deeper human investigation.
Investigate: Investigate these threats and escalate the confirmed incidents, in accordance with the appropriate service level agreement, and follow the preferred escalation procedure.
Hunt: Engage in human-led threat hunting exercises augment the automated threat detection process. These exercises should be prioritized based on your company profile, critical assets, prevalent threat actors, current threat intelligence, high risk TTPs, and other input you provide. Malicious findings are then escalated to you.
Respond: Based on the nature of the security incident, actively take pre-approved containment and remediation measures. It’s best practice to also amend policy or security control changes to prevent similar security incidents from arising.
Optimize Your Threat Detection Process with Cysiv
As CISOs and security teams plan for the future, having a solution that can detect targeted attacks, ransomware, zero-day exploits, malware, and attacker behavior will be critical. Just as important is having a modern SOC platform that makes it possible to filter down to a manageable number of high-quality, high-fidelity threats in need of an analyst’s attention.
Cysiv SOC-as-a-Service combines a next-gen SIEM and experts with enterprise telemetry to deliver 24/7 threat detection and response. Download our white paper for a deeper look at how Cysiv incorporates multiple detection techniques into our SOC-as-a-Service offering, or contact us to schedule a demo.