Threat Detection Systems Must Ferret Out the Most Sinister Intrusions
NEWS ANALYSIS: There's no question that the number of advanced persistent threats is on the rise, and your intrusion detection system alerts you to many of them. But not all threats are created equal.WASHINGTON, D.C.—Pretty much everyone has heard about the massive data breach that hit retail giant Target at the end of 2013, and there have been any number of people (including me) who have discussed ways in which the problem could have been avoided. What no one realized at the time is that Target's intrusion detection system actually caught the breach when it was happening, but no one realized it. Before anyone goes and starts shaming Target, let me also add that there's a big gap between detecting a threat and realizing that it's a problem. Unfortunately, most intrusion detection systems produce so much in the way of information that it's nearly impossible to decide which of the many thousands of potential security events are an actual threat and which are not. What hasn't existed is a good way of filtering all of the results from an intrusion detection system so that someone can find the ones that actually matter. Worse, of the threats that are actually serious, it's even harder to find the ones that matter in the context where they exist.
For example, if you happen to run across the code for a serious worm on a computer, it's a potential threat, but if the worm is designed to infect a Windows computer and it's been downloaded to a Mac, the threat is significantly diminished, since it won't execute there. But it's still a potential threat since it could at least theoretically be passed along to a Windows machine through an infected email.