Threat Detection Systems Must Ferret Out the Most Sinister Intrusions

NEWS ANALYSIS: There's no question that the number of advanced persistent threats is on the rise, and your intrusion detection system alerts you to many of them. But not all threats are created equal.

threat detection IT

WASHINGTON, D.C.—Pretty much everyone has heard about the massive data breach that hit retail giant Target at the end of 2013, and there have been any number of people (including me) who have discussed ways in which the problem could have been avoided.

What no one realized at the time is that Target's intrusion detection system actually caught the breach when it was happening, but no one realized it.

Before anyone goes and starts shaming Target, let me also add that there's a big gap between detecting a threat and realizing that it's a problem. Unfortunately, most intrusion detection systems produce so much in the way of information that it's nearly impossible to decide which of the many thousands of potential security events are an actual threat and which are not.

What hasn't existed is a good way of filtering all of the results from an intrusion detection system so that someone can find the ones that actually matter. Worse, of the threats that are actually serious, it's even harder to find the ones that matter in the context where they exist.

For example, if you happen to run across the code for a serious worm on a computer, it's a potential threat, but if the worm is designed to infect a Windows computer and it's been downloaded to a Mac, the threat is significantly diminished, since it won't execute there. But it's still a potential threat since it could at least theoretically be passed along to a Windows machine through an infected email.

To determine whether a threat is relevant, all you have to do is analyze the threat, identify its intended target and then analyze your systems and see if that threat will actually affect you. Easy, right? Well, not exactly. What you really need is some kind of automated assistance, but until lately it hasn't existed.

I realized that this had changed when I visited the Gartner Security and Risk Management Summit here and ran across Cyphort, a company that produces an appliance-based threat management product that does more than just flag suspected malware. The Cyphort Advanced Threat Defense Platform is designed to analyze threats and determine whether they can impact your enterprise, and if they do, whether they are threatening a critical function.

The Cyphort platform works with other security hardware from Palo Alto Networks and Bluecoat, and it's able to sort out the threats that can affect your network infrastructure and those that won't. In addition, the platform will use information you provide to determine just how much of a threat some types of malware might be.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...