Threat detection and responses are about using big data analytics to find security threats across huge and disparate data sets. The objective is to find anomalies and analyze their security threat level and determine what mitigate actions might need in response. The demand for security threat detection and response solutions has grown as the volume of data being produced is increasing at a rapid rate.
Devices used for threat detection at home and response are made to the collection and analyze forensic data while being configured to manage for, identify and control security threats.
Types of threat detection devices used at home
- Configuration Based on Threat Detection
Configuration based threat detection identifies from a known architecture. Examples, 2 field devices communicating with each other, counter architecture and design expectations.
- With accurate visibility and coverage, it can hypothetically detect all sort of malicious activities
- Accessible for individuals with a huge range of experience
- Simply to maintain in static environments
- Add exact value to other detection types in response circumstances
- Hard to maintain in dynamic environments
- Restricted visibility and coverage decrease efficiency
- Assume a knowledge of configuration and infrastructure
- False-positive prone due to likely configuration alterations.
Modeling based Thread Detection
Modeling based threat detection devices use mathematical models to classify assets as well as activity identifying parts inconsistent with the model. Instance, abnormal number of write requests in mod bus TCP outside of usual gives the average over the last 1 month.
- Can smoothly identify novel adversary activity
- Simply to maintain in extremely static environments
- Add huge value to other threat detection types in response situations
- Difficult to maintain when environment change
- Limited visibility and coverage decreased the efficiency
- No context of security threat activity to support the investigation
- Fake positive prone due to likely configuration alterations
Indicator based threat detection
Indicator based threat detection devices search for elements of info known about previously and are often seen in the shape of indicators of compromise. Instance: A specific IP address that’s accessing in internal assets.
- Quickest type of threat detection to create and deploy
- Keeps specific threat detection context related to the indicator
- Helpful enriching other data sources and security threat detection
- Extremely efficient for scoping an environment post surveillance of the indicator
- The value is extremely dependent on the adversary’s rate of change
- Doesn’t scale well among victims
- Unknown indicators expiry leads to the wrong detection
- Higher limits as to how many indicators can be processed
Threat Behavior-Based Detection
Threat behavior-based analytics examine activity in environments and compares single actions and aggregate acts against a bundle of known malicious or unwanted activities. Instance: legitimate VPN access followed by user account making and fine download on
- Fine durability against adversary change
- Simply to tune for any environment
- Very less false-positive rates
- Just needs some analytics to detect most known spacious behavior utilized somewhere in an intrusion
- Several analytics needed to provide complete coverage
- Moderately hard to implement
- Are not completely reusable