Trustwave Blog

What Is Threat Detection and Response?

Written by | Aug 26, 2020

For all organizations, no matter what they do or where they are located, cyberthreats are a growing concern. Every year, criminals invent new and innovative ways to steal information, compromise networks, demand ransoms and damage reputations.

To defend against those threats, threat detection and response (TDR) has become one of the most important cybersecurity practices. For organizations that don’t want to make the considerable, often impractical, investment in building TDR capabilities internally, there are managed threat detection and response (MTDR) services that offer significant additional advantages. According to the research firm Gartner, by 2024, 90% of buyers looking to outsource security service providers will focus on TDR services1.

To fully explore what TDR is, and how it can help protect your organization, we’ll start by defining some of the basic concepts and terminology.  

 

The Definition of Threat Detection and Response (TDR)

On its most basic level – absent the unique enhancements that cybersecurity providers add to their offerings – TDR is the practice of finding and identifying threats within your organizational IT infrastructure, which now includes mobile devices and apps, the cloud, the Internet of Things(IoT), and beyond.

Threats can be considered anything which has the potential to do your organization harm—with the types of potential threat vectors your organization needs to be aware of changing and growing almost every year. Many of these threats will evade your first lines of defenses — such as your antivirus programs and firewalls. How you’re able to respond to and mitigate those threats is a key component of your TDR strategy.

 

How Threat Detection and Response Is Conducted

 When your organization is conducting TDR, at a minimum it will be scanning for threats on a 24/7 basis using a combination of threat detection and response tools and methodologies, as there is no single “magic bullet” for effective threat detection and response. You will typically have software sensors monitoring your endpoints, gathering data on events and activity. A security platform will govern that data, helping your security staff identify suspicious activity. Alerts and triggers will typically be set up to help your team know when to take action.

The combination of human intelligence and automated processes is key to conducting effective threat detection and response. Fully automated threat detection and response solutions will not be effective – just as your security team will not possibly be able to fully monitor and analyze all activity in your IT ecosystem without the aid of software.

 

Threat Detection and Response Goals

Beneath the overarching goal of preventing threats from turning into attacks, the objectives of your TDR activity will typically include:

  • Reduction of dwell time inside your network environment. Attackers often have access to compromised environments for an extended period of time – finding and eliminating those breaches is crucial.
  • Proactively hunting for threats, to find the known unknowns that are almost all organizations contend with.
  • Accelerating detection and response to database risk with database security tools
  • Protecting your users from cyber threats and spam with secure email gateway solutions
  • Mitigating the harm when breaches do occur. Threat detection and response solutions and services will help your security teams quarantine the vulnerability, stop malicious processes, and eliminate the threats.
  • Formulating a response to successful attacks. Your TDR tools will be invaluable as your team formulates an incident response plan, considers digital forensics to better understand the attacks, and bolster your security.

There are additional tertiary benefits that a robust TDR practice can provide, such a helping provide visibility into network traffic and data activity.

 

Threat Detection and Response Challenges

As organizations seeks to put effective threat detection and response solutions into place, they will typically face obstacles:

  • The pace of change in cybersecurity is punishing—new threat vectors and techniques are constantly evolving in response to whatever defenses are put in place.
  • Your IT environments are becoming increasingly complex, as the perimeter has expanded to endpoint, email, network, cloud applications and databases. Along with new capabilities, like cloud servers, come new and often unforeseen vulnerabilities.
  • The sheer volume of information your security team needs to analyze is massive – and growing. Shifting through all the “noise” to find actionable intelligence is a daunting task.
  • Integrating all of your tools and solutions can be challenging – many organizations have multiple cybersecurity vendors and products.
  • Evaluating different threat detection and response solutions can be difficult – some providers use vague or overly complex terminology that creates confusion, leading research firms like Gartner to provide guidance on threat detection and response.

In addition to the above, one of the biggest obstacles that organizations will face when trying to implement a threat detection and response solution is the skills gap. Recruiting and retaining top cybersecurity talent is difficult, as competition for experienced individuals can be intense. Organizations typically also grapple with resource limitation that might hamper their ability to properly fund a fully internal threat detection and response capability.

1          Gartner, “Managed Security Services Landscape is Changing”, ID G00719320

 

 

ANALYST REPORT

Gartner Report: Ask These Critical Questions and Consider These Risks When Selecting an MDR Provider

This complimentary report from Gartner provides expert guidance on key challenges buyers face when choosing an MDR provider and recommendations to ensure a desired outcome.