The need for a robust and comprehensive threat detection program has never been greater. As the instances and severity of network intrusions and cyberattacks continue to grow, organizational leaders have taken note. According to the 2021 Board of Directors Survey by Gartner, 88% of corporate boards now consider cybersecurity a business risk, up from 58% in 2016. Threat detection is a proactive process that is used for detecting unauthorized access to network data and resources by both internal and external sources. Let’s explore how threat detection can mitigate the impact of attacks by detecting and neutralizing incursions early on and look at several best practices to implement.
Threat Detection and Mitigation Methods
Early detection and intervention is the goal of all threat detection methods. When network breaches happen, uncovering them quickly can help security teams minimize data loss and reduce damage. Here are four popular threat detection methods and how they work.
Threat Intelligence
Cyber threat intelligence is the process of identifying, analyzing, and understanding threats that have targeted the organization in the past, are currently attempting to gain unauthorized access, and are likely to do so in the future. Threat intelligence analysts will collect internal information from incident response engagements and true positive detection alerts, as well as external information, such as public threat reporting and intelligence from third-party intelligence providers, to develop an understanding of who, how, and why threat actors will target the organization. This intelligence can then be provided to a threat detection team and other security function areas to enhance detection and overall decrease risk within the organization. Threat intelligence seeks to understand the following:
What threat actors are likely to target the organization based on their previous targets and motives
How threat actors conduct attacks against those organizations; their Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs)
Develop an intimate understanding of the organization's technology stack and security posture to route synthesized intelligence products to the appropriate decision maker or stakeholder, to include Threat Detection teams.
This information helps bolster cybersecurity readiness and threat mitigation efforts while keeping business leaders and stakeholders informed about potential risks and consequences if threat actors were to be successful.
User and Entity Behavior Analytics (UEBA)
Analyzing the behavioral patterns of internal users can help threat detection flag deviations that may indicate a user’s credentials have been compromised. This data can include information users access regularly, what times of day each user is typically active in the network, and where users are working from. For example, a top-level corporate executive who typically works regular business hours from a home office in Seattle is unlikely to log in to the corporate network at 2:30 a.m. in Brussels. By establishing a baseline for what normal behavior looks like, security analysts are better able to spot anomalies that require further scrutiny.
Deception Technology
A threat detection function can significantly benefit from deploying deception technology like canary tokens. By strategically placing these seemingly legitimate but ultimately fake credentials within the environment, the detection team can create tripwires for threat actors. Any attempt to use a canary token, such as trying to authenticate with it to a system or service, immediately signals unauthorized activity. Since legitimate users would have no reason to interact with these decoy tokens, any such interaction serves as a high-fidelity alert, drastically reducing false positives and allowing the threat detection team to quickly identify and respond to potential breaches or insider threats in their early stages.
Threat Hunting
Threat hunting is an overtly proactive approach where security analysts actively hunt for threats and signs that threat actors have already gained access to systems. By searching through the organization’s collected security telemetry, threat hunters seek to uncover instances of successful compromises. Even when no threats are found, playbooks and queries developed will be transitioned into permanent detections that will monitor for the suspicious activity in the future.
Threat Detection Technologies
Threat detection technologies, tools and methods are continually advancing in response to the ever-changing landscape of threats to network and data security. While the security needs of every organization are unique, these threat detection technologies belong in every organization’s cybersecurity arsenal.
Security Event Detection Technology
By bringing data together across an organization’s entire network, security event technology pulls events including authentication, network access, and logs from critical systems into one place. This simplifies tasks such as comparing systemwide log data against IOCs using a threat intelligence data feed to more efficiently analyze event logs, and root out probable threat actor activity. Security event technology enables security analysts to gain a complete view of all their endpoints, firewalls, IDS/IPS devices, SaaS logs, servers, switches, OS logs, routers, and any other applications that generate telemetry to be monitored and detected against.
Network Threat Technology
Network threat technology monitors traffic within an organization’s network, in between other trusted networks, and on the internet to actively scan for suspicious activities that may indicate the presence of malicious activity. This technology reduces response time for threat detection and reaction, making it a critical tool for countering the increasing number of systemwide attacks by threat actors.
Endpoint Threat Technology
Endpoint threat detection and response (EDR) is an endpoint security solution that implements continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. This technology makes it possible to monitor and collect activity data in real time from endpoints and infrastructure that could indicate the presence of a potential threat. Armed with this data, teams can quickly identify threat patterns, generate an automatic response that removes or contains threats, and notify security personnel for further intervention. Endpoint threat detection technology also provides behavioral or forensic information to aid in investigating identified threats.
Security Data Lakes
Security Data lakes are a subset of a data warehouse, with the flexibility to support both unstructured and semi-structured data in native formats. A security data lake makes it possible to stream all of an organization’s telemetry data, eliminating the burdensome task of aggregating logs. This technology removes the cost and scalability limitations of storing security data in a security information and management (SIEM). A security data lake can allow security analysts to store many years’ worth of historical data, making it easy to determine if a flagged specific pattern is typical or an anomaly that warrants further investigation.
How Snowflake Supports Threat Detection
Snowflake is an ideal foundation for threat detection. With Snowflake, your team can investigate the timeline of an incident across the full breadth of your high-volume log sources, including firewalls, servers, network traffic, AWS, Azure, GCP, and SaaS applications. Stream data from all logs to your security data lake, and search against all of your data in a Snowflake Connected Application that acts as your SIEM or XDR. Save on license fees and operational overhead while meeting compliance requirements. Snowflake’s network of cybersecurity partners provides specific tools for threat detection, threat hunting, anomaly detection, threat intelligence, vulnerability management, and compliance services on top of your security data lake. As a result, you can improve your cybersecurity posture across your organization and ensure confident and consistent responses to security incidents.
See Snowflake’s capabilities for yourself. To give it a test drive, sign up for a free trial.