It’s no secret that expecting security controls to block every infection vector is unrealistic. For most organizations, the chances are very high that threats have already penetrated their defenses and are lurking in their network.
Pinpointing such threats quickly is essential, but traditional approaches to finding these needles in the haystack often fall short.
Now there is a unique opportunity for more feasible, more effective threat hunting capabilities, and it stems from a most unusual effort: rethinking the approach to wide area networking.
When we look at the cyber kill-chain today, there are two major phases—infection and post-infection. Security experts acknowledge that organizations can get infected no matter how good their security controls are.
The simple fact is, infection vectors change rapidly and continuously. Attackers use new delivery methods – everything from social engineering to zero-day exploits – and they often are effective.
In most cases, an infection is a singular event. The delivery method is singular, which decreases the chances of detection by the security controls that are meant to prevent threats from entering.
Unfortunately, most organizations still focus more of their resources on prevention rather than detection. The primary tools they deploy today include firewall, anti-spam, sandboxing, IPS (intrusion prevention), intelligence feeds, URL filtering, anti-malware, and anti-bot.
These solutions are designed to be in front of what’s left of the perimeter to prevent infection attempts. Once a threat slips through the perimeter, however, the tool can’t see or stop it.
images from Hacker News