Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

How Threat Detection is Evolving

As adversaries have shifted the focus of attacks to achieve their goals, defenders must evolve their approach to threat detection

As adversaries have shifted the focus of attacks to achieve their goals, defenders must evolve their approach to threat detection

The threat landscape is dynamic and ever changing. Adversaries are evolving their approaches and targets. Mark Harris from Gartner has said it the best in, my opinion: Adversaries have shifted the focus of attacks to achieve their goals – from focusing on infecting files to infecting systems, and now infecting entire enterprises. As defenders we have to evolve our approach to detection accordingly. From tracking files and hashes and relying on signatures to block early threats, to tracking additional indicators to protect against more sophisticated attacks. Now, adversaries are infiltrating organizations and moving laterally to accomplish their mission. Be it to conduct reconnaissance surreptitiously and launch attacks later, simultaneously lockdown endpoints and servers for ransom, use one enterprise as an entry point into another, overwhelm systems to disrupt services for legitimate users, hijack computing resources to conduct nefarious activity…the list goes on and on. 

So, we must continue to evolve our approach to detection. It is no longer just about finding the one control point or system where the attack is being triggered. Multiple points across the enterprise are involved so you need to be able to connect the dots. Detection now requires a breadth and depth of information from disparate systems and sources, with data and actions brought into a single view, so you can gain a comprehensive understanding of the threat you are facing and know what you must defend. 

Extended Detection and Response (XDR) is generating a great deal of interest right now as a way to enable detection and response across the enterprise. If we focus on the extended detection aspect of XDR, the goal is to combine data from disparate sources, both internal and external, and connect atomic events from individual systems into a single incident. As Frost & Sullivan points out, “Since organizations typically follow a best-of-breed strategy, integrations are truly imperative to fulfilling the XDR vision.” All systems and sources must be able to work together. Pulling the right data from the right tools allows you to validate the detection and, ultimately, respond effectively.

Sounds straightforward, but it’s actually a seismic shift in detection capabilities. On their own, events from all internal data sources, including your SIEM system, log management repository, case management system and security infrastructure – on premise and in the cloud, appear to be independent. But if you can aggregate this data and then augment and enrich it automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry and existing security vendors – you start to see the bigger picture. When all this data is correlated and presented on a single screen, you can identify relationships and detect malicious activity across the enterprise. Seemingly isolated events from different security systems come together and are revealed to be part of a single incident attacking your organization.

This breadth of detection across the enterprise naturally drives a need for even deeper understanding and triggers further investigation. So, our modern definition of detection must also include the ability, within that shared view, to contextualize correlated data with internal enrichment sources, such as identity of the impacted user. For instance, if targets include the finance department, human resources or the C-suite, this could indicate a more serious threat. External enrichment sources, such as frameworks like MITRE ATT&CK and third-party tools for DNS lookup and URL and malware analysis show you if data points from events share common indicators. Now you can begin to see the forest for the trees. You can understand if your organization is facing a larger scale campaign and any additional indicators, tactics and techniques to look for. 

Evolving our definition of detection to encompass greater breadth and depth of understanding through internal and external data aggregation, correlation and investigation, delivers the information we need to execute faster with confidence. Which, in turn, impacts our definition of response. But that’s a topic for another article.

RelatedXDR is a Destination, Not a Solution

Related: Three Approaches to an XDR Architecture

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...