For years the security industry has been focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness. And that still holds true. The more threats we block, the fewer we have to deal with inside the network. We must continue to innovate and work diligently to get that number as close to 100 percent as possible. But that’s the catch.
Even as more effective and sophisticated security defenses emerge to thwart attackers, it has become clear that point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.
Exploit kits, ransomware, and advanced malware are just a few examples of these innovative tactics. Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer, and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [discussed in a previous column] to stay below the radar.
Ransomware has become highly lucrative for hackers as they continually release new variants to dodge defenses. Ransomware operations have matured to the point that they are completely automated through the anonymous web network, Tor, and use encryption to evade detection. And to conceal payment transactions from law enforcement, ransoms are paid in cryptocurrencies. Dridex is a quickly mutating campaign which demonstrates a sophisticated understanding of how to evade security measures. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, or referrers. They launch the campaign again, forcing traditional antivirus systems to detect them anew.
The innovation race between attackers and security vendors will continue. And this dynamic creates a significant problem for organizations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel. They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not and cannot work together. History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks. To get a more realistic assessment of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more important: time to detection.
Time to detection (TTD) is the window of time between the first observation of a file and the detection that it is a threat. This gap exists because of these tactics that cybercriminals use to slip through defenses as ‘unknown’ and later exhibit behaviors that are malicious. Based on various reports, the current industry standard for time to detection is 200 days. That’s far too long. By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.
To catch these types of threats retrospective capabilities must become part of our defenses. These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices, and remediate.
Retrospective security can only happen with an integrated threat defense that allows multiple security technologies to work together, sharing information to combat multifaceted attacks. An integrated threat defense not only accelerates TTD and response, but also enhances our front line defenses, updating policies as we uncover threats inside the network to eliminate the risk of re-infection.
Of course, stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.
More from Marc Solomon
- Dealing With the Carcinization of Security
- XDR and the Age-old Problem of Alert Fatigue
- Removing the Barriers to Security Automation Implementation
- Balancing Security Automation and the Human Element
- Anticipation and Action: What’s Next in SOC Modernization
- How Organizational Structure, Personalities and Politics Can Get in the Way of Security
- Cybersecurity – the More Things Change, the More They Are The Same
- The Secret to Automation? Eat the Elephant in Chunks.
Latest News
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
