There are now so many cyberattacks that many enterprises simply accept that hackers and bad actors will find ways to break into their systems.
A strategy some large businesses have developed over the past two years has been to quickly identify and isolate these attacks, possibly by shutting down part of a system or network so the hackers won't get days or weeks to root around and grab sensitive corporate data.
This enterprise focus on rapid detection and response to various attacks on networks and computers doesn't replace conventional security tools to prevent attacks. Instead, businesses are relying on both prevention software and detection software.
What's happened most recently is that security software vendors are developing means to evaluate attacks with advanced analytics. That analysis can be fed back into existing prevention systems to help thwart future attacks. Detection becomes part of a security cycle, at least in theory.
"There's a big focus on rapid detection and response in enterprises because prevention often misses the intrusions and malicious activities," said Gartner analyst Avivah Litan in an interview. The focus started in earnest about two years ago following a big increase in data breaches at U.S. retailers, restaurants and hospitals.
"Security officials woke up and realized with $80 billion spent [in 2014] on prevention, a lot of attacks were getting through," Litan said. The main intent is to find attacks early "so that attackers won't get in and sit around for six months and silently steal information, as most attackers do."
James Moar, an analyst at Juniper Research, said the modern state of cybersecurity has evolved. "There is no longer a reliable network perimeter than can be guarded, but rather a series of risks that have to be mitigated or exposed," he said in an email. "In order to protect and secure such an environment, anomaly detection tools are the first step in determining if an attack is underway."
How detection helps
What typically happens when an attack is detected is that security managers will isolate it, often by confining the malware or other threat to a portion of a corporate network where as few endpoints (servers and computers) as possible can be attacked. For a large company, a network could be comprised of a number of combined smaller networks that can be arranged in a topology that allows many vital business functions to continue even when one portion is shut down.
"Folks in security management are doing a lot more segmenting of their networks these days, so that if they detect something major, they can shut off a portion," said IDC analyst Robert Ayoub, in an interview.
Sign up for MIS Asia eNewsletters.