Threat detection has never been a simple process, and it’s only becoming more complex. According to the Enterprise Strategy Group (ESG), 76% of cybersecurity professionals say that threat detection and response is more difficult today than it was two years ago.
The reasoning is an all too familiar story: threats are changing at a breakneck pace, security analysts are overwhelmed with hundreds of new incidents every day, and the use of multiple security tools makes correlating data a time-consuming, if not impossible, challenge.
How can organizations move forward? For CISOs and security leaders, the key will be implementing advanced threat detection engines that can address unknown threats, reduce alert fatigue, and consolidate security tools.
It sounds like a tall order, but it is possible to automate, accelerate, and improve the process of finding and prioritizing threats. But it requires a blend of detection techniques to accomplish it.
Mixing and Matching: Advancing the Threat Detection Process
Most security information and event management (SIEMs) platforms use one, sometimes two or three, techniques within their threat detection process. Typically, these are basic correlations or simple signatures that can identify unusual spikes in activity or known attacks, such as malware, ransomware, and phishing threats.
Though important components of threat detection, these methods, on their own, are prone to false positives and are not comprehensive enough to detect advanced or unknown forms of attack. Further, if you have the output of each of those techniques and tools going directly to a human analyst without filtering, real threats get lost in the noise while innocent activity gets the attention.
The best results can be achieved by pulling together a number of techniques to find specific patterns of threats. There are five main techniques that can be combined based on the use case to improve threat detection and response.
- Cyber Intelligence is the act of comparing known activities in an environment — for example, firewall logs or new files being generated on a computer — to known sources of bad activity. It is a black listing technique, with information sourced from research organizations, sandbox analysis, known phishing sites, and other libraries of known bad activity. Cyber intelligence is most effectively used when each of these objects can be correlated and viewed in context with other rules. What was once a bad IP address, for example, may no longer be, as IPs rotate very quickly in and out of usage. With cyber intel alone, this could be flagged for review when, in fact, there is nothing suspicious to see.
- Signature-based detection techniques match all or some attributes of an object to a known bad object. It is a common and simple method for identifying a known bad that was not blocked and elevating it to a detection in need of immediate review. Signature-based methods are most commonly associated with finding malware and ransomware, but also can be used to identify suspicious network activity, such as a user downloading large volumes of data to a USB.
- Behavior-based detection techniques match some type of digital pattern, footprint, human activity, or network behavior to known bad behavior. Behavioral techniques are commonly linked to detecting insider threats. If a user normally accesses 10-20 CRM records per day and one day accesses 1,000 records, that’s anomalous behavior likely worth investigating. It could be nefarious, or it could be related to a unique event happening at the organization. It’s an interesting piece of information that when matched with other detection techniques can be flagged as suspicious or recognized as acceptable activity.
- Statistics-based detection techniques use clustering, grouping, stack counting, baseline and variation, outlier detection, logistic regression, and other methods to detect anomalous activity. This technique is often used to detect brute force attempts. One successful login out of 100 failed attempts is likely a machine program going through and guessing someone’s password, not an individual who simply forgot.
- Algorithm-based detection uses machine learning techniques, such as supervised or unsupervised learning or deep learning, to detect malicious or anomalous activity and predict attacks. It would be impossible to keep a list of every possible type of attack. Algorithms look for the fingerprints of what appears to be a suspicious process path being executed on a machine. Algorithms are trained to sort through data and understand the possibilities of that information, allowing for prediction of new attacks and determining what normal activity looks like to identify anomalies.
Detection in Action
The above techniques can be used in combination, depending on the use case. Detecting an insider threat will use a different combination of techniques than what would be used to detect a phishing attack, malware, or server, network, and cloud threats.
The key is to combine the techniques in a flexible way to improve the quality and confidence of detections.
The key is to be able to combine the techniques in a flexible way to improve the quality and confidence of detections. For example, the following pattern would be flagged: suspicious email received + suspicious PDF attachment opened + process created + communication port opened. The sequence shows that something is going on that probably warrants closer investigation.
Combining user and entity behavior analytics (UEBA) to look at patterns of human behavior, and then applying algorithms and statistical analysis to detect meaningful anomalies from those patterns, would indicate that a phishing attack leading to a potential malware infection is underway.
Automating the Process
Addressing the overload of data within a security operations center (SOC) requires building a data pipeline that can isolate the threats that need to be investigated further, quickly and consistently. This is the entire premise behind Cysiv’s threat detection engine, which leverages multiple techniques to accelerate and automate the process of identifying potential threats that truly warrant human investigation.
The Cysiv platform has a unique indicator-detection engine that leverages these five detection techniques. The engine automatically prioritizes security incidents based on the highest severity detections, focusing attention on the investigation of the most critical detections first, thus streamlining the analyst workload.
The two-step engine first aggregates logs into indicators to identify suspicious activity. An indicator, by itself, is not normally enough to raise an alert or require a response, but it can contribute to a detection. This drastically reduces false positives. The second step is converting indicators to detections. The engine is trigger-based, operating in real time to alert analysts immediately of a suspicious sequence of activity. In both stages, the platform uses a blend of detection techniques depending on the situation. The approach makes all the difference in ensuring that information is timely and relevant, while also being able to batch process tens of millions of logs an hour.
As CISOs and security teams plan for the future, having a solution that can detect targeted attacks, ransomware, zero-day exploits, malware, and attacker behavior will be critical. Just as important is having a modern SOC platform that makes it possible to filter down to a manageable number of high-quality, high-fidelity threats in need of an analyst’s attention.
Download our white paper for a deeper look at how Cysiv incorporates multiple detection techniques into our SOC-as-a-Service offering.