What are the Generational Differences in Threat Detection Solutions?
Cyber security experts often use a generational model to describe the evolution of threat detection. To determine which generation is right for your company and offers the most value, you’ll want to familiarize yourself with the key characteristics of each generational level. For example, here are generations three through six. Starting with basic cyber security solutions and ending with advanced cyber security solutions.
3rd Generation platforms provide a category of technology called Security Incident and Event Management or “SIEM” solution. The premise of a SIEM solution is the reliance on pre-determined “rules” or policies with a human mind deciding what alerts to produce, based on a set of pre-defined indicators. The majority of cyber security customers and providers in the industry use a SIEM solution today.
- Can provide “checkbox” compliance & reporting with pre-canned reports of log analysis
- Can often support other applications in addition to cyber-monitoring, such as performance management
- Unable to process large volumes of data without excessive license costs
- Data Reduction is required to lower the log volume
- Requires excessive labor and expertise required to tune the system
- Results often have high false positive rates, and it may take your team hours to determine which alerts need to be addressed
- Fails to discover unknown threats, anomalies, and advanced threats
The 4th Generation platforms in the marketplace today are essentially SIEM platforms with add-on capabilities bolted onto the platform to address detection blind spots. These solutions are often marketed as Next Generation SIEM or “SIEM-less” technology products, due to their objective of improving the labor efficiency of managing the SIEM platform.
- Less intensive labor requirements compared to 3rd generation systems
- Available 3rd Party add-ons to protect blind spots
- Can combine with 3rd Party SOAR solutions to gain process efficiencies
- 3rd party add-ons are not natively integrated (e.g. UEBA, GRC systems, etc.)
- Has the same shortcomings of 3rd generation systems
- Still unable to process large volumes of data, without excessive license costs
- Includes a licensing expense for all the non-native, add-on features
- Does a poor job of detecting anomalies, unknown threats, and advanced threats
5th Generation platforms do not use SIEM technology but use Threat Analytics as their technology paradigm. Threat Analytics platforms do not depend on rules to identify threats, but instead use behavior and machine learning to evaluate all of the available data without data reduction. They natively correlate user, asset, and network behavior, include advanced correlation use cases, and use machine learning to not only detect unknown threats but also to evaluate their accuracy.
A key capability for a 5th Generation system is the ability to ingest, process, and analyze all of the log data, so potential threats do not enter without being analyzed. The system cannot reduce the data into subsets that make it easier for databases to process, because this reduces that breadth of potential threat indicators that might be used for post-processing threat analysis, hunting, and forensic analysis.
- Evaluates all available data without data reduction
- Also finds threat indicators of anomalies and unknown threats
- Fully integrated with user, network, asset behavior
- IOT use cases often included as an integrated capability or add-on
- Asset identification integrated with threat detection
- Often less expensive and less labor intensive
- Many of these technologies and systems are still early in their development and are not yet fully mature
- Many disparate technologies exist in the marketplace but are part of a piecemeal approach to creating a proprietary technology stack for detection
- Technologically complex to design and manage for the company to build themselves
Sixth Generation platforms utilize Threat Analytics as their foundational detection approach, but have extended their threat detection capabilities into “Full Spectrum Threat Analysis”. Full Spectrum Threat Analysis (FSTA) is the current desired state within the industry and is only now just becoming available in the marketplace. 6th generation tools utilize machine learning and behavioral analytics to find threats rather than depending on rules alone.
Security On-Demand is one of those providers offering 6th Generation capabilities, built on its 5th Generation platform.
Why Implement Next Generation Security?
The benefits of 6th generation threat detection platforms reduce false positive alerts allowing more time for analysts to investigate and validate high probability threat indicators.
One key distinction of a strong 6th gen defensive system is the ability to analyze all of the data continuously, which is a key advantage in finding a larger range of threat indicators using behavioral means, as well as improving the speed to detection.
Threat detection analytics platforms are able to find threats within minutes or hours instead of weeks and months. The longer a breach remains undetected in an environment, the more damage that the attackers will cause. Detecting threats quickly and accurately can save companies millions in remediation costs
Effective 6th and 5th gen technologies can be relatively inexpensive to add to your current IT security stack. Investing in newer, stronger technology platforms protect your company from dynamic threats like malware and ransomware.
To learn more about how 6th gen threat detection can benefit your organization, schedule a demo here.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection and analytics services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland