Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Best Practices Guide

A New Threat Detection Model That Closes the Cybersecurity Gap

The cybersecurity gap exists between the time an attacker successfully evades prevention security systems at the perimeter and the clean-up phase when an organization discovers that key assets have been stolen or destroyed.
A New Threat Detection Model That Closes the Cybersecurity Gap
A New Threat Detection Model That Closes the Cybersecurity Gap
Select language to download
Instant free access
Thank you for downloading!
Please access your free offer below.
Download
Download
Download in French
Download in German
Download in Spanish
Download in Japanese
Download in Italian

Stop a hybrid attack

Take a self-guided tour to see how the Vectra AI Platform empowers you to stop hybrid attacks before any damage is done.

Take Self-Guided Tour

With Vectra AI, attackers don't stand a chance

Intellectual property. High-value data. Hybrid cloud infrastructure. It all adds up to a lot of vulnerabilities — and makes your company a prime target for nation-state cyberattacks. But with Attack Signal Intelligence from Vectra AI, your analysts easily keep data breaches at bay.

No items found.

Gain real-world insight into the anatomy of an attack.

Join our ensemble of security researchers, data scientists and analysts as we share over 11+ years of security-AI research and expertise with the global cybersecurity community. Through our webinars and hands-on labs, you’ll learn how to effectively leverage AI for threat detection and response and expose sophisticated attacks hiding in your environment.

Explore upcoming sessions

Blind to the cybersecurity gap

Inside this gap, attackers have a huge advantage over traditional prevention- based security products. Although prevention tools and techniques are widely used today, cybercriminals routinely outsmart them by using complex and intelligently constructed attack methods.

Cyber attacks are no longer simple smash-and-grab jobs driven by preprogrammed malware. They are controlled by highly skilled, creative and intelligent humans. Ongoing coordination allows a human attacker to progressively learn more about the target network, adapt to any defensive measures, and advance the attack over time.

While attacks have made an evolutionary leap in complexity, security defenses have not. Defenses are overwhelmed trying to find threats using fast pattern- matching signatures of known threats and malware.

As threats became more intelligent and evolved in sophistication over time, traditional security remains dependent upon making snap judgments based on incomplete information.

Traditional security remains dependent upon making snap judgments based on incomplete information.

Today, this imbalance gives attackers a significant advantage. To keep pace, organizations need a more intelligent approach to security – a new class of security that can learn, evolve and think.

This paper lays out the requirements for a new methodology that identifies threats based on what has been learned from the past as well as local context, and then connects events over time to reveal the progression of an attack.

The signature challenge

Security defenses have tried to keep pace by using more and more signatures and delivering them faster and faster. Signatures are the bedrock of traditional security technology and are written to identify exploits, malicious URLs and known malware.

Signatures can quickly identify and block known threats at scale. However, their weakness is that they are inherently reductive – they reduce a known threat to its simplest fingerprint in order to give a single yes or no answer within microseconds to avoid slowing the flow of application traffic.

This reductive focus on immediate and simple answers has created an advantage for attackers who are willing to adapt. Signatures only work by fingerprinting a known threat, and attackers have learned to avoid signatures by using new, unknown threats.

The 2015 Verizon Data Breach Investigation Report illustrates this trend in stark detail, indicating that 70-90% of malware used in data breaches were unique to the organization that was infected.

This means that every organization would need a unique set of signatures to protect itself – a requirement that doesn’t scale. But if an attacker uses an unknown, or zero-day, threat, no signature could possibly exist to detect it. The importance and ease of avoiding signatures has not been lost on attackers.

While attackers are able to stay ahead of signatures, it is the persistence of the ongoing attack that has truly turned the tables. Once an organization’s outer defenses are compromised, attackers can blend in with the network, progressively spy, and spread deeper until they find high-value assets to steal or destroy.

This process typically involves multiple compromised hosts, a variety of tools and malware, and the theft and misuse of valid user credentials. The important point is that the threat itself is ongoing while attackers evolve their operations and adapt over time.

The threat itself is ongoing while attackers evolve their operations and adapt over time.

The reductive nature of signatures that identify threats at the atomic level is particularly ill-equipped for recognizing the more complex chemistry going on around them. This intelligence gap is precisely why a new security model for threat detection is so vital.

The new threat detection model

The newest, most advanced threat detection model does more than simply plug the gaps in traditional security technologies. It squelches the strategic advantage that attackers have enjoyed for too long.

Coarse-grained detections with a long shelf-life

Detections that use traditional signatures become obsolete when attackers adapt by moving to a new domain or adding a few bits to known malware so signatures no longer match it. This gives them a first-mover advantage where even the most trivial changes keep attackers several steps ahead of defenders.

One of the core goals of the new threat detection model is to deliver detections that remain valid for long periods of time. This requires a shift from fingerprinting every individual instance of a threat to recognizing the fundamental attack characteristics that every threat has in common.

When applied to packet-level traffic, data science and machine learning become extremely powerful tools to identify the fundamental characteristics that distinguish threats from normal traffic.

Targeted attack vs opportunistic attack processes

Focus on attacker actions and behaviors

Traditional detection models attempt to find snippets of exploit code, a known sample of malware or a malicious domain. This leads to an intractable job of constantly finding and fingerprinting an infinite number of malicious occurrences. The task is never-ending and attackers always remain steps ahead by using a new exploit.

To break this cycle, the new threat detection model shifts the focus from trying to name all possible bad things to identifying the unique indicators of attack behaviors and actions.

In other words, the goal shifts from identifying what a thing is, to identifying what the thing does. Although attackers can hide their threats by making slight changes to malware or buying a new domain, the actions and objectives of an attack are always the same.

For example, virtually every attack must establish some form of hidden communications in order for the bad actor to coordinate and manage the attack. The attack also needs to spread internally, compromise more internal devices and credentials, and ultimately destroy assets or exfiltrate them from the network.

Virtually every attack must establish some form of hidden communications in order to coordinate and manage the attack.

By focusing on attack behaviors, defenders can fight and win the asymmetric cybersecurity war by shifting the math of security back in their favor. Instead of using thousands of signatures to find every variant of a threat, they can focus on a few dozen key behaviors that attackers must perform in order to succeed.

Recognize threats over time

One of the most recognizable traits of modern network data breaches is that they evolve over time. This low-and-slow approach has become standard operating procedure for sophisticated attacks, and for good reason. Traditional security suffers from short-term memory and a post-breach form of perfect amnesia.

Traditional security suffers from short-term memory and a post-breach form of perfect amnesia.

The new threat detection model recognizes threats in real-time and identifies the signs of attack that evolve over time. One does not preclude the other. For example, small timing anomalies and cadences within a network session can reveal hidden tunnels and remote access tools used by attackers.

Conversely, recognizing when an employee’s credentials have been compromised may require learning the user’s normal behaviors over a period of days, weeks and months. While the time scale can be very small or very long, both cases require a keen understanding of threats in relation to time.

Recognize attacks, not just techniques

In order to provide value, security must identify real business risks to an organization and not simply deliver a list of alerts. This requires security solutions to understand how individual events are interconnected and the impact those threats have on an organization’s assets.

This necessitates a combination of threat context and organizational context. The ability to connect the dots between phases of an attack is precisely what distinguishes a targeted attack from the stream of commodity threats that inundate networks on a daily basis.

Signatures vs Data science to detect threats

Detecting threats with data science

In order to meet these requirements, data science and machine learning techniques can be applied directly to network traffic. The newest threat detection model uses both to proactively reveal hidden attacks inside a network.

Why use data science?

Data science and machine learning have become buzzwords in the industry, with a seemingly endless array of claims and applications. It is important to understand that these are simply tools and not a cure-all for every security problem.

To avoid marketing hype, it is essential to understand exactly what these approaches bring to the table, how they are different from other approaches, and the strengths and weaknesses they bring.

Data science represents a fundamental shift in security. Unlike a signature- based approach that delivers a 1-for-1 mapping of threats to countermeasures, data science uses the collective learning of all threats observed in the past to proactively identify new ones that haven’t been seen before.

Think of it as a student learning a new subject in school. Memorizing the answers to a test might result in a passing grade but this approach misses the mark when it comes to learning how to solve a problem.

Long term, it is essential to understand what, when, why and how. Actual knowledge and intelligence is far more advantageous when evaluating and solving new problems that have not been encountered before.

This is a critically important distinction when using data science to detect threats. For the traditional model to work, all of the answers must be known ahead of time. For example, the domain ACME.com has been seen behaving badly in the past, therefore it is bad.

Data science expects to be asked real questions and applies collective learning to evaluate an unknown.

In a different scenario, ACME123.com has never been seen behaving badly in the past, but traffic to and from this domain is showing four different behaviors, the combination of which is consistent with command-and-control attack behavior.

From the collective knowledge of threats gathered from the real-world, it’s possible to identify the domain as acting bad based on its behavior.

The importance of direct, first-hand data

Data science models are naturally dependent on the quality of data they analyze, and this is especially true in the cybersecurity field. It is essential for cybersecurity solutions to find stealthy threats that sneak past traditional controls, and this job requires direct, first-hand access to all network traffic.

The vast majority of approaches that use data science to detect threats perform data mining against large databases of event logs. While this approach may find correlations between logs that were previously missed, it has some troubling limitations.

Logs are a secondary source of data that briefly summarize an event. Information that is not in a log is lost and unavailable for analysis. Additionally, logs are only as good as the system that generates them. If an upstream firewall or security device fails to detect a threat, there will be no log to analyze.

The limitations of log data are disconcerting. The role of a cybersecurity solution is to detect threats that evade the standard layers of defense. Re- analyzing summaries from devices that already failed to detect a threat is hardly logical.

Data Quality and Speed and Network Coverage

Re-analyzing logs from devices that failed to detect a threat is hardly logical.

NetFlow and other flow summaries suffer from similar limitations. Flow data monitors and tracks performance in the network plumbing. These summaries are limited to tracking the direction and volume of network traffic, and lack the direct, first-hand visibility needed to find a hidden, highly evasive threat.

Data science models perform much better when applied to higher quality data. Instead of simply mining data from flawed sources, the new threat detection model applies data science and machine learning to network traffic at the packet level.

This direct, first-hand access to traffic represents a completely new style of threat detection. Instead of correlating events or learning simple baselines, advanced threat detection builds real-time models that recognize the behaviors of malicious traffic.

Cyber attacks always evolve. But by retaining first-hand visibility into traffic, the new threat detection model can always adapt to identify new attack techniques and strategies. This is a stark contrast to log and flow-based systems, which are always dependent upon upstream data sources.

The role of machine learning in data science

The popularity and interest in data science and machine learning has turned both terms into slick catch-phrases, making it difficult to distinguish one from the other.

Data science is widely concerned with the many ways that knowledge can be extracted from data. Its sweeping perspective spans a broad set of disciplines that include mathematics, statistics, machine learning, and a variety of analytics just to name a few.

It is important to note that machine learning is a subset of data science. The new threat detection model also leverages a wide range of data science techniques that include supervised and unsupervised machine learning, mathematical heuristic models of detection, statistical modeling and behavioral analysis.

Machine learning enables software to iteratively learn from data and adapt without being explicitly programmed. In the context of detecting threats, machine learning identifies and learns patterns of behavior that reveal an attack.

In the context of detecting threats, machine learning identifies and learns patterns of behavior that reveal an attack.

Supervised and unsupervised machine learning

Detecting threats requires two types of high-level data sets. The first is a global set of experiences that indicates how threats differ from normal or benign traffic. The second is a local set of experiences that reveal unusual or anomalous behaviors in a particular environment.

The first approach reveals behaviors that are always bad, regardless of the network in which it occurs, and the second reveals threats based on local context. Both are crucial to detecting threats and they must work cooperatively.

Supervised machine learning addresses the first approach by analyzing known malware, threats and attack techniques. It is guided by security researchers and data scientists who identify fundamental post-exploit behaviors that are consistent across all variants. This analysis then feeds algorithms that detect underlying malicious behaviors in network traffic.

While global intelligence is extremely useful, some attacks are only revealed based on understanding the local context of the target network. Unsupervised machine learning refers to models that proactively recognize what is normal for a particular network and when behaviors deviate from that norm.

Both styles of machine learning are essential and work together to detect hidden threats. Likewise, both styles support detection algorithms based on information that is observed over extended periods of time.

Instead of detecting in a few milliseconds based on a single packet or flow of data, the new threat detection model learns and identifies attack behavior patterns over periods ranging from seconds to weeks.

Conclusion

The newest, most advanced threat detection model combines a wide array of industry-leading intelligence and detection techniques to see threats from all angles in real time. It represents a new, more effective and highly proficient detection methodology that leverages data science to detect threats that are missed by traditional security models.

Trusted by experts and enterprises worldwide

FAQs

Challenge

Solution

Customer benefits

How other organizations are partnering with Vectra AI

Key Findings from the Gartner Market Guide for Network Detection and Response

Gartner is a trusted resource and advisor to who we are and what we do at Vectra AI. We see eye to eye with Gartner on many things, but not always everything. In this report, we share where we align to Gartner and where our perspectives differ when it comes to Network Detection and Response (NDR).

Read case study
Using AI to Detect and Stop Lateral Movement in the Cloud

Vectra CDR for AWS enables modern SOC teams to reduce risks against advanced lateral movement attacks in your hybrid cloud.

Read case study
Stop Identity-based Attacks with Privilege Account Analytics (PAA) in Your SOC Arsenal

The Vectra AI Platform expands coverage for threats that bypass prevention with visibility into privilege identity behaviors to relieve your SOC team from the pains of privilege account sprawl.

Read case study
Vectra CDR for AWS with Amazon GuardDuty

Vectra CDR for AWS strengthens exisiting investments in Amazon GuardDuty by stopping sophisticated threats and deeply empowering modern SOC teams.

Read case study
Shifting from legacy PCAP to AI-driven threat detection

PCAP strengths primarily rely on network monitoring for on-premises environments, leaving huge gaps and vulnerabilities for bad actors to exploit.

Read case study
Reduce Critical Infrastructure Risk with Integrated Signal for Your Hybrid Cloud

Reduce your exposure to critical infrastructure risk with integrated signal for your entire hybrid cloud infrastructure.

Read case study
Best Practices to Address Tool Sprawl for Your NDR and IDS solutions

Vectra Match for NDR consolidates behavior-based and signature-based detection correlation

Read case study
Meeting the challenges of the Cybersecurity Maturity Model Certification (CMMC v2) with Vectra AI

To meet the protections of Controlled Unclassified Information (CUI) and Covered Defense Information (CDI), federal contractors of all categories are now required to meet CMMC in order to participate in new contract pursuits, extensions, or modifications.

Read case study
Adapting to Changes in Securing the Cloud

The shift to cloud-native architectures, driven by the need for speed and agility in today's digital business landscape, has resulted in developers taking on security responsibilities, increasing the risk of introducing security issues alongside enhanced efficiency.

Read case study
A New Threat Detection Model That Closes the Cybersecurity Gap

The cybersecurity gap exists between the time an attacker successfully evades prevention security systems at the perimeter and the clean-up phase when an organization discovers that key assets have been stolen or destroyed.

Read case study
The Tradeoff Between Automatic and Manual Enforcement

Enforcement, as it relates to cyberattacks, are responses to attacker actions to bring an enterprise back in line with its stated security policy. Common examples of enforcement are blocking traffic to a specific IP, quarantining a device by restricting network access, reformatting a machine, or locking down account access.

Read case study
Extending beyond EDR with integrated signal at speed and scale

When it comes to stopping high-speed hybrid attackers, integrated signal at speed and scale is the only answer.

Read case study
How to Protect the Oil and Gas Sector from Cyberthreats

Energy companies are increasingly vulnerable to cyberthreats.

Read case study
How Financial Institutions Can Stop Cyberattacks in Their Tracks

Attackers are finding it more profitable to go straight for the money using sophisticated advanced persistent threats (APT), such as Carbanak, as well as ransomware.

Read case study
How Manufacturing Organizations Can Reduce Business Risk from Cyberattacks

Manufacturers have long used industrial control systems to increase the speed and efficiency of production. But these production control systems were largely kept separate from the administrative and enterprise systems.

Read case study
How Pharmaceutical Companies Can Protect Valuable IP

Intellectual property (IP) is the lifeblood of pharmaceutical companies. An analysis of the top 10 drug firms indicates that average R&D spend is over 20% of revenue and intangible assets.

Read case study
How Medical Device Manufacturers Can Safeguard Vital IP

Stolen IP represents a significant subsidy since the thieves don’t have to bear the costs of developing or licensing that technology or manufacturing process.

Read case study
Meaningful AI for Security

When done well, AI can arm your security team with more efficient and effective threat detection, however, not all AI is created equal.

Read case study
Incident Response Maturity: Time to Grow Up

When a cyberattack occurs, most aspects of the threat are not under the control of a targeted organization. These range from who is targeting them, what is the motivation, where and when the attack occurs, how well-equipped and skilled that attacker might be, and most critically, the persistence of the attacker to achieve the ultimate goal.

Read case study
Is Next-Generation IPS Masking an Old Problem?

Intrusion detection systems (IDS) like Cisco Firepower (formerly Sourcefire), Trend Micro Deep Discovery, and McAfee Network Threat Behavior Analysis are all traditional technologies with deep roots in signature-based detection and protection.

Read case study
What is Network Detection and Response (NDR)?

NDR goal: Empower security analysts to receive alerts quickly and be able to discern what is critical versus what is benign. It also focuses on lowering the time from compromise to incident detection and containment.

Read case study
NIS2 (Network and Information Security 2) – A Best Practices Guide

What is NIS2? Who should be involved and what steps can you take to achieve NIS2 compliance?

Read case study
Protecting Patient Health and Privacy from Cybercriminals

The healthcare industry today is one of the top targets of cyber attackers. This has been driven in large part by the digitization of healthcare delivery - IoT devices such as x-ray and MRI machines, drug infusion pumps, blood gas analyzers, medication dispensers and anesthesia machines - as well as medical information.

Read case study
Protecting Higher Education Networks from Cyberthreats

Thanks to their open, collaborative environments and a treasure trove of high-value assets, universities and colleges have become a top target of data breaches and cyber attacks.

Read case study
Recommendations When Evaluating NDR for IaaS

With nearly half of current infrastructure-as-a-service (IaaS) users running production applications on a public cloud infrastructure, organizations will increasingly look to capture the favorable business models, dynamic scaling, availability, and streamlined management that public clouds deliver.

Read case study
SecOps Practices that stop AWS Account Compromise accurately and early.

A Cloud Detection and Response Strategy for AWS

Read case study
Reduce Your SIEM Cost and Stop Attacks Faster

With the increasing number of cyber threats your SOC team faces, ask yourself one question: can we keep pace by relying exclusively on our SIEM to detect and respond to attacks?

Read case study
From DIY to AI: Removing SOC latency by shifting from build-your own SIEM rules to pre-built AI models

Why create and maintain your own detection rules when AI can do it for you?

Read case study
SOC Visibility Triad - The Ultimate in SOC Visibility

As evidenced by unprecedented cybercrime, traditional security defenses have lost their effectiveness. Threats are stealthy, acting over long periods of time, secreted within encrypted traffic or hidden in tunnels. With these increasingly sophisticated threats, security teams need quick threat visibility across their environments.

Read case study
Remote Work, Not Remote Control: Detection Guidance

Vectra is making the following recommendations for users of the Cognito platform to identify and manage the expected increase in behavioral detections related to certain remote worker conditions.

Read case study
5 Keys to Stopping Hybrid and Multicloud Cyberattacks on Critical Infrastructure

A playbook for defending Critical National Infrastructure (CNI) from cyberattacks and increasing SOC productivity by >2X.

Read case study
The Dark Side of Darktrace: Why Vectra AI beats the competition

Darktrace isn’t just guilty of bloated sales and marketing — it also fails to deliver on POC promises. Read the Darktrace vs Vectra brief to learn why.

Read case study
How to Stop Ransomware

Learn how to quickly identify the early signals of an active ransomware attack.

Read case study
Threat Hunting Guide

Threat hunting is an important part of any security program. Regardless of how well-designed a security tool is, we must assume these tools and defenses are imperfect.

Read case study
Modernize Your SOC — Set Your Pathway into the future without Network Traffic Decryption

An integrated threat signal enables your SOC to move away from network traffic decryption while reliably detecting the most urgent threats.

Read case study
How Cyberattackers Evade Threat Signatures

Signatures, reputation lists and blacklists only recognize threats that have been previously seen. This means someone needs to be the first victim, and everyone hopes it's not them.

Read case study
How Vectra AI enables DORA Compliance

Digital Operational Resilience Act (DORA) - 10 steps Best Practices Guide for Security & Compliance Leaders to understand the EU regulation.

Read case study
See all customer stories

When you eliminate the noise, you stop attacks faster.

Explore CDR for M365

Vectra Cloud Detection and Response (CDR) for M365 is the most advanced AI-driven attack defense for malicious threats to your Microsoft 365 apps and data.

Learn more
Get a demo

Request a 30-minute demo to see how the Vectra AI empowers SOC analysts to find and stop active cyberattacks in minutes.

Sign up
Use cases

Explore real-world applications of the Vectra AI platform — from identifying elusive threats to streamlining incident response.

See more
Blogs

The Vectra blog covers a wide range of cybersecurity topics, including exploits, vulnerabilities, malware, insider attacks, threat actors, artificial intelligence, and more.

See more
Customer stories

Vectra AI customer stories showcase how real organizations are using our cybersecurity solutions to protect their data and achieve their security goals.

See more