Research

By Mike Rothman

The more things change, the more they stay the same. We have been talking about Reacting Faster and Better for years and we will continue to do so, because trying to prevent every attack is and will remain futile. The best path forward is to continue advancing the ability to prevent attacks, while spending as much time on detecting attacks that successfully compromise your defenses. This detection-centric view of the world has been a central theme in our research; it highlights a variety of areas to focus on – including the network, endpoints, and applications.

We know many organizations have already spent a bunch of money on detection – particularly intrusion detection, its big brother intrusion prevention, and SIEM. But these techniques haven’t worked effectively either, so now is time to approach the issue with fresh eyes. By taking a new forward look at detection, not from the standpoint of what we have already done and implemented (IDS and SIEM), but instead in terms of what we need to do to isolate and identify adversary activity, we will be able to look at the kinds of technologies needed right now to deal with modern attacks. Times have changed and attackers have advanced, so our detection techniques need to evolve as well.

In our Network-based Threat Detection paper, we focus on what kinds of indicators make the most sense to look for on the network, how to prioritize what you find, and then steps to operationalize the process to make detection consistent and reliable.

Network-based Threat Detection

We would like to thank our licensees (in alphabetical order), Damballa, Niara, and Vectra Networks. Our unique licensing model enables us to perform impactful and objective research and still pay our bills, so please thank them too.

Download: Network-based Threat Detection (PDF)