It is an assumption for many enterprises operating today that they may already have been compromised. Hackers and bad guys are likely already inside their network. With the increasing sophistication of hackers, organized criminals and cyber hack-focused countries, it is safe to presume that the networks of many enterprises are already breached. Therefore, perimeter-only protection practices are no longer sufficient, and firewalls and malware-detection products while necessary are no longer sufficient.
Today’s enterprise is filled with security tools, for which the underlying technology and principles are likely 10-plus years old. These might include firewalls and intrusion detection systems, which operate on known signatures; rule-based detection; malware detection tools using sandboxing technique; and DLP systems, which look for specific content in the form of keywords within documents leaving the enterprise.
Another challenge is that current security products rely on known attacks, standard rules and correlations techniques. This approach is generating millions of alerts and too many false positives. It is unsustainable to go through millions of alerts while relying on manual incident response with large SOC teams. Naturally, this methodology increases time to detection to weeks/months. Worse, these alerts are not actionable. Because security analysts and incident response teams get a flood of alerts from many security products within an enterprise this creates a phenomenon called ‘analyst fatigue’. Most of the alerts are not actionable and security professionals have to spend lot of time reviewing these alerts and developing required supporting evidence.
Most recent high-profile breaches involved the continuous and daily/hourly use of current generation security products, yet the attackers were able to infiltrate, navigate and exfiltrate data unhindered. There needs to be advanced, deep data, science-driven and machine learning security technology within the network that detect advanced hack attacks and malware. It is imperative to detect malware that has already penetrated your corporate network.