Why it’s Time to Rethink Adversary Detection and Response — Now | Anomali

In the First World War, British soldiers faced a real threat – a 750-pound shell shot from behind enemy lines from an unseen attacker.

British intelligence analysts devised an innovative system of detection and response that included microphones recording sound blast waves and advanced math for triangulation. Calculations were performed by soldiers sitting in muddy trenches, using pencils, paper, and protractors. The result? While under attack, they spent more time investigating the threat than stopping the attacker.

Contemporary artillery detection systems, based on the same principles, offer far better visibility thanks to advances in automation. These modern systems automate correlation of acoustic data with global intelligence, including attacker patterns and global attacker activity, giving soldiers a simple point on the map of an impending attack

Cybersecurity has similarly had to evolve to address more sophisticated threats over the years. For instance, we started with signature-based detection technologies to stop payloads before execution and rules-based security like firewalls that blocked bad traffic.

Attacks then evolved in sophistication with the ability to evade signature-based protection. Detection and Response picked up where protection failed and using EDR, an analyst could manually determine if an endpoint, application or user activity looked suspicious. But analysts had to laboriously pore through suspicious activity data to pinpoint true threats. Like those WWI soldiers in the trenches, they toiled under attack to detect a threat – delaying any response. In retrospect, it marked a good first step – but it also led to badly overworked security teams.

That led to the emergence of SIEM, allowing analysts to better manage this data. But while protection, detection and monitoring solutions have proved effective, all these approaches are reactive, focused on the victim – either the device, the application or the user.

Time to Shift to Proactive Attacker Detection

I don’t think any security practitioner would object to taking a new approach if it would make their job easier and strengthen their defenses.

In the last year alone, we witnessed a major ransomware attack that took down the Colonial Pipeline, disrupting energy supplies up and down the East Coast, and an attack on Costa Rica resulting in its president declaring a state of emergency. Elsewhere, critical infrastructure in Asia was targeted in a “low and slow” attack that lasted over a year – with attackers using “live off the land” techniques to steal credentials and move laterally from less protected IT systems to highly critical operational infrastructure.

These were all attacks that had a real-life impact on people's lives, underscoring the urgency of moving beyond reactive threat detection to proactive attacker response. This much is understood: We need to extend our attack visibility across the entirety of the digital ecosystem. That means not just detecting attacks that have occurred but also preventing those that are likely to occur in the future.

In my conversations with security professionals, it’s clear they want to be more proactive. They make investments in intelligence in an attempt to become more strategic in their detection approach. But static intelligence puts analysts on a hamster wheel cycle of investigation without conclusion and provides CEOs and boards with a dangerous false sense of security.

We’re helping to change that dynamic.

Anomali believes in a future where our digital lives are protected by Defenders who have the ability to detect the attacker – not just the attack. The ability to see the attack coming, and to neutralize every relevant adversary – no matter the infinite escalation in digital noise.

Like a Lion protecting the pride, Anomali is constantly on the lookout for predators, helping you stay vigilant to detect threats with precision and stop attackers with confidence. We strengthen your defenses with the most trusted intelligence powered by big data telemetry to stop attackers on sight.

The Anomali Platform, our differentiated XDR solution, provides a new way of detecting threats, one that focuses on the patterns of the attacker, rather than the behavior of the victim. We are evolving beyond reactive incident response to improve security posture before an attack. Together with automated indicator-based detection, we zero in on the attacker’s tactics, techniques and procedures to determine where the attack is coming from and when it should be expected.

The Anomali detection capability extends visibility with intelligence from over one hundred million attack sensors. This gives us a unique ability to understand attacker activity on a global scale and to take a previously unknown threat and make it known to the world. This is the largest global repository of intelligence, and it allows our teams to apply machine learning to precisely understand an attackers next move, and to stop them before they strike.

Correlating an organization’s digital telemetry together with billions of global intelligence records, we detect a threat with precision. And it doesn’t matter if the attack happened in the last few minutes, or the last few years. We prioritize detections with context, including threat severity, asset criticality and attack surface vulnerability. That rapid-fire ability to respond to a threat, across an organization and even farther – across a shared Defender community – translates into instant protection and the embodiment of the next stage in adversary detection, with organizations truly becoming proactive.

This is no longer beyond the realm of possibility. We do it every day, thanks to our extended visibility across the digital landscape, our precision detection that pinpoints threats, and our comprehensive response across your digital estate and across time.

With Anomali, a Defender goes from the billions of global threats that keep her awake at night to the few prioritized incidents that have the potential to shut down the organization – in seconds.

As the security world gathers this week at RSA, we’re going to hear a lot about the future. With so many industry crosscurrents, the conversation often makes for a muddied picture. But this much has become crystal clear: When it comes to cyber security, organizations need to go beyond victim-based detection to detect and stop the attack before it happens.

Together with our customers and industry partners, Anomali is committed to moving beyond reactive threat detection to proactive attack prevention, making the cyber world safer and more secure.


Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.