Threat Detection and Response (TDR) - Definition & Overview

Threat detection and response is the most important aspect of cybersecurity for IT organizations that depend on cloud infrastructure. Without the ability to recognize network intruders or other malicious adversaries in a timely fashion, IT security analysts have no hope of responding effectively to security events and effectively mitigating damage.

A threat is anything that has the potential to cause harm to a computer system or cloud network. Threat detection, therefore, describes the ability of IT organizations to quickly and accurately identify threats to the network or to applications or other assets within the network. Once a threat has been detected, the next step is the response. Threat responses should be planned in advance so that action can be taken quickly.

Despite the massive importance of cybersecurity, IT organizations still face significant challenges when it comes to threat detection. The good news is that there are many types of cybersecurity software solutions that can be deployed by enterprise IT organizations to support the timely detection of threats and help streamline or even automate the response.

A report conducted by ESG research in 2019 reveals: 76% of cybersecurity employees report that their job had gotten more difficult compared to two years prior. Data breaches are becoming increasingly common and with more IT organizations moving assets into the cloud, there is more opportunity than ever for malicious adversaries to conduct successful cyber attacks. Cybersecurity professionals are facing unprecedented challenges in threat detection and response, such as:

Complex Cloud Environments

With most companies now using more than one cloud environment and the average company deploying as many as twenty separate applications into the cloud, it has become increasingly difficult for SecOps to maintain adequate oversight of enterprise cloud environments.

Reactivity over Process

Threat detection is inherently a proactive process, yet many IT organizations spend much of their time behaving in a reactive way: putting out fires and dealing with emergencies instead of building the processes and implementing the tools that drive a reliable threat detection and response process. Moving from reactive to proactive action is a major challenge faced by enterprise IT.

Perimeter Focus

Many IT organizations focus too much of their effort and attention on attacks from the perimeter. There are two problems with this approach:

1. The organization may have a great perimeter firewall but remains susceptible to vectors like phishing attacks which surpass perimeter firewalls.
2. The organization may lack the capability to detect an attack once the perimeter is breached.

Too much focus at the perimeter of the network can create a false sense of security while assets within the network remain vulnerable.

Infinite Arms Race

IT organizations are part of an infinite arms race against cyber attackers. As IT organizations develop new threat detection and response capabilities, cyber attackers continue to develop new types of threats to circumvent detection systems. This process is ongoing.

Disconnected Tool Suite

IT organizations rely on a range of cybersecurity tools to assist with threat detection and response. While more than one software tool is needed to support effective threat detection, a disconnected tool suite with disparate components can make it difficult and time-consuming to track security events.

Staffing Challenges

Industry data suggests that cybersecurity jobs are growing at nearly three times the rate of IT jobs overall, yet the industry faces a skill shortage when it comes to qualified cybersecurity professionals. In 2019, the global shortage of cybersecurity professionals is estimated at 2 million total jobs and continues to increase.

The first step to an effective threat detection and response process is understanding what threats are present in the cyber environment. This shortlist covers several of the most common types, but there are more out there and new ones appear all the time.

Malware - Malware includes any malicious software program. Malware programs include spyware, viruses, trojan horse applications and other applications that can infect your computer or network, stealing sensitive information and otherwise wreaking havoc and chaos.

Phishing - Phishing attacks trick the recipient into volunteering sensitive data. They usually consist of an e-mail that requests the recipient to provide sensitive information. They may also include a link to a web page that has been spoofed to resemble a familiar site where the visitor might enter login information or other personal details.

Ransomware -Ransomware is a type of malware that locks or disables a computer and asks the user to pay to regain access.

DDoS - A DDoS attack happens when a cyber attacker uses a network of remotely controlled computers to flood a website or network with traffic, usually in an attempt to disable the server.

Botnets - A botnet is a network of infected computers. Some hackers realized that instead of writing a virus that makes your computer go haywire, they could write a program that makes your computer send spam e-mails to others with malicious attachments or participate in a DDoS attack. You may not even know that your machines are affected.

Blended Threat - A blended threat uses multiple techniques and attacks vectors simultaneously to attack a system.

Zero-Day Threat - Zero-day threats are new threats that nobody has seen before. They are the result of the arms race between IT organizations and cyber attackers. Because they are brand new, zero-day threats are unpredictable and difficult to prepare for.

Advanced Persistent Threat (APT) - An APT is a sophisticated cyber attack that includes long-term surveillance and intelligence gathering, punctuated by attempts to steal sensitive information or target vulnerable systems. APTs work best when the attacker remains undetected.

Just as cyber attackers may deploy a range of threats to target security vulnerabilities within a cloud infrastructure, IT organizations can leverage a variety of software tools and applications to detect and respond to threats in a timely fashion. These include, but are not limited to:

• Cloud Access and Security Brokers (CASB)
• Endpoint Detection & Response
• Intrusion Detection/Prevention Systems (IDS/IPS)
• Perimeter and Application Firewalls
• Threat Intelligence Platforms

Sumo Logic's cloud-native platform helps IT organizations expand their threat detection and response capabilities for cloud environments. With Sumo Logic, IT organizations can:

1. Collect and aggregate security event data from a broad range of security software solutions into a single unified system
2. Parse security logs with data analysis driven by machine learning and pattern recognition algorithms
3. Automate the discovery of trends and patterns that could indicate a security event while cross-referencing data with the newest threat intelligence from CrowdStrike
4. Configure alerts to cyber security professionals when a threat is detected, ensuring a timely human review and response
5. Program automated threat responses to begin damage mitigation and system restoration immediately when a threat is discovered
6. Quickly perform root cause analysis and patch vulnerabilities

Sumo Logic helps IT organizations move away from reactive IT security and proactively shield their cloud deployments from malicious cyber attacks.