Threat detection is a critical part of any security strategy and business continuity plan, but it requires an awareness of how selected security solutions operate in relation to time. Time is a critical factor, because time to resolution can make the difference between a crippling breach and a threat that can be isolated. Many enterprises lean too heavily on either prevention or breach mitigation and require a more balanced approach.
Endpoint solutions: These are threat detection tools that work right at the endpoint, employing techniques to identify and prevent a threat by blocking access on the device. These techniques can include anything from checking files for threats to sandboxing applications deemed untrustworthy. For a blocking tool on an endpoint to be effective, it has to respond quickly, usually in the space of about ten milliseconds. If the decision whether to block takes longer than that, performance on the endpoint is affected and may become so cumbersome that the user deletes the tool.
Network-based detection: Even better than security at the endpoint is security that never reaches the endpoint. A network-level detection tool requires faster detection speeds, with threats identified at least about 100 milliseconds before a compromise takes place. These solutions have the same challenge that is inherent in endpoint security threat mitigation: the tool must be able to identify the threat without impacting network performance.
It’s important to distinguish between intrusion detection systems (IDS) and intrusion prevention systems (IPS). An IDS only identifies a threat, while the IPS works to prevent it from ever entering the network. Some advanced threats take longer to identify and may be more challenging to prevent.
Log analysis: Monitoring is a critical component of any business continuity plan, and careful log analysis can work with endpoint and network-based tools to provide a more complete threat detection strategy. Correlations between events recorded in a log can identify alerts that have been missed by other threat detection solutions. While some events can seem benign, when placed in context of a user’s typical behavior, they stand out as a potential threat.
The time that it takes for log analysis to identify a potential threat varies based on the particular event and the context in which the analysis places it.
Ideally, all threats would be detected long before they make contact with the enterprise endpoints or network. Security teams are doing the next best thing by balancing these three areas to provide a more complete threat detection strategy.
To learn more about solutions for reducing the time-to-resolution in the event of a security breach, contact us at Computer Security Solutions. We’ll help you weigh threat prevention and detection tools to create the balanced business continuity plan your enterprise needs.