Threat Detection and Response
Analyst Coverage: Fran Howarth
Threat detection and response is concerned with ensuring that organisations have access to sophisticated technology to defend themselves against the complex threat landscape that they face. Security investments have traditionally favoured a preventive approach, trying to stop threats from entering the network in the first place.
However, over the past 15 to 20 years, there has arisen a great focus on detecting threats that have made it through preventive controls to gain a foothold on the network. The aim is to uncover both known and unknown, hidden or emerging threats as quickly and efficiently as possible in order to limit the damage that they can cause. But, it goes further than that by helping organisations to respond to threats that are uncovered in an efficient manner.
There are many flavours of threat detection and response, from pure technology to technology plus services. Originally, SIEM (security information and event management) systems were developed for the threat detection piece, but they were limited in their capabilities, especially in terms of response. Despite this, they are now considered to be foundational technologies for many organisations and many of the new technologies that have been developed still integrate with them.
In terms of technology, many new offerings have been developed in response to the need for wider coverage across the network. Endpoints continue to proliferate, something that became apparent from 2010 onwards as smartphones came out and have been widely taken up. This led to the development of EDR (endpoint detection and response) technology that continuously monitors endpoints for suspicious activity so that action can be taken. Shortly after, UEBA (used and entity behavioural analytics) was added to the mix, which focuses directly on user and device behaviour to add further context to investigations. For better response capabilities, SOAR (security orchestration, automation and response) technology was developed to aid organisations in achieving their desired security outcomes, guiding organisations through the steps required in responding to incidents.
More recently, these technologies have been combined into XDR (extended detection and response) technology to provide a more holistic detection and response capability. NDR (network detection and response) has also been brought into the mix, extending capabilities for detection across all parts of the network.
But threat detection and response requires more than technology alone and this is where MDR (managed detection and response) capabilities come into play. These combine the provision of technology with access to expertise from the service provider to help organisations that are battling to make the best of these complex new technologies, especially when skilled security personnel are hard to find and retain or where organisations lack sufficient budget to adequately staff their security function. Many service providers have now embraced XDR in their offerings and this sector has shown and will continue to show rapid growth.
Threat detection and response works by taking telemetry feeds from systems throughout the network, both in terms of controls installed on premises and in their extended networks. These feeds provide detailed information related to all activity seen by correlating and analysing the data to uncover trends and patterns. Detailed metadata reports are produced that are far superior to alerts that had been overwhelming organisations as this information had to be sifted through to find out if a threat was real and to identify its severity.
Machine learning is an essential part of these technologies, which uses advanced algorithms to detect anomalies that help to uncover new and emerging threats and provide greater context to improve the speed, efficiency and accuracy of decision making.
Another key component is threat hunting, which can be automated or driven by human expertise and which relies heavily on threat intelligence, that looks to proactively root out unknown, hidden and emerging threats that could otherwise be missed.
Every organisation, no matter its size or industrial focus, is liable to be seen as a viable target by adversaries. Large organisations that have extensive security teams may choose to install the technologies themselves, especially where they have a fully staffed security operations centre. However, even then they may wish to engage with an MDR provider to gain access to expertise that will function as an extension to their security team.
Some other organisations that have limited security teams to understand and deal with the complexity of the technology are prime candidates for MDR services, which are often offered in tiered support levels, with some offering just out-of-hours support.
Every organisation also faces regulatory compliance challenges. Whether the organisation is in a highly regulated sector or just subject to data protection requirements, threat detection and response technologies can help them to ensure that they are keeping up with and meeting compliance objectives by rooting out security gaps that can hinder their compliance programmes.
Threat detection and response is a vibrant space that will continue to grow in importance as new threat challenges need to be faced.
Networks are expanding rapidly to incorporate supply chains, industrial systems and the cloud. In particular, use of cloud has been increasing rapidly and has been given a boost by digital transformation efforts and by remote working, which has been a key development during the pandemic. Most threat detection and response technologies are based in the cloud, with many being offered on a subscription basis. By placing technologies in the cloud, capabilities can scale to a much greater extent than traditional technologies.
Particularly in the MDR sector of this market, services are being extended to cater for the needs of the midmarket, packaged for easy uptake and consumption. Rather than having to purchase and implement technologies, these are provided by the MDR service, along with access to expertise. They can also gain access to technologies such as SOAR that were largely the preserve of larger organisations that had the time and expertise to exploit them to their full potential.
Response is also gaining traction. Vendors in this space have spent time building out detection capabilities, but response capabilities largely lagged behind. This is changing rapidly, with vendors embedding SOAR into their offerings and with MDR providers offering expert guidance in this area. This is expected to be a key focus for this year and going forward.
Another emerging area is a greater focus on identity management, particularly with regard to privileged accounts and entitlements that are a prime target for attackers. This is also something that is likely to expand over the coming year and beyond.
The threat detection and response market comprises specialists and those that are technology-agnostic. The specialists have developed and offer their own technology, sometimes with the addition of services in the MDR model, and many license use of their technology to other vendors, in particular MDR service providers and MSSPs (managed security service providers) that are moving into this area.
Those that are technology-agnostic are largely in the MDR and MSSP space. They aim to ingest telemetry from whatever technology a customer has in place, although some favour technology from partners in the EDR/XDR space.
The number of vendors operating in this space has grown rapidly over the past couple of years, providing a wealth of choice and attesting to the vitality of the threat detection and response market.