Compromise Detection vs. Threat Detection: Why ‘Right of Boom’ Now

Originally published by Netography.

Written by Matt Wilson, VP Product Management, Netography.

In 2022, the average total cost of a data breach reached a record high of $4.35 million. And it took an average of 277 days – about 9 months – to identify and contain a breach. But when organizations can shorten that time to 200 days or less, they can save on average $1.12 million. Even 200 days is far too long. We can do much better. It all comes down to addressing right of boom – the period during and after an initial breach has happened.

From threat detection

As an industry, we’ve historically focused on threat detection, looking for indications that the behaviors that are active as part of the threat, for instance around phishing attempts or port scanning, are happening. When we detect signs that someone is trying to probe our defenses in search of vulnerabilities they can actively exploit or perhaps are in the process of actively exploiting, the objective is to block them.

A lot of traditional Network Detection and Response (NDR) models look at known threat vectors and associated activities, and when they can see that in the payload, they can do something about it. This is great, and there’s definitely a use case for that. However, if NDRs were foolproof we wouldn’t really have the need for much else. The fact is they are not.

Between zero-day codes, very creative attackers, user mistakes, and DEED environments, it’s hard to guard against everything. The initial threat leading up to the compromise can be nearly imperceptible and is becoming increasingly difficult to detect, which is why it’s inevitable that every organization will get hit. We read about new cases of cyberattacks daily and those are only the ones that are big enough to get reported. So many more are never made public.

To compromise detection

At this point in the attack we’re right of boom and in the realm of compromise detection. Now, the challenge is to look for anomalous behavior that is happening after you’ve already been compromised – things like data exfiltration or lateral movement within your environment that isn’t consistent with policies you’ve set.

Once inside the network, attackers hide in the shadows and can do their work mostly undetected for months and years before they’re caught, and that’s when costs can skyrocket. The key is trying to limit the duration and damage caused. That’s what compromise detection is about.

You want to be able to see what’s happening in the shadows of your network – the areas that aren’t covered by your Endpoint Detection and Response (EDR), NDR, and the disparate tools from your different cloud providers.

If all you see is an IP address doing something, that doesn’t tell you much. And it’s easy for one or two connections to fall under the radar. But in aggregation, when you have visibility into the other parts of the network that IP address is connecting to and context around the who and the what, you can drill down to understand what’s happening behind the scenes.

Suddenly you might see it’s hitting a bunch of IPs on a specific port and looking around for things. It could be legitimate. Maybe a user has moved to a different group and now has different needs. Or it may be malicious, someone poking around in a system they shouldn’t be poking around in. There are a lot of reasons why this communication could be happening, and they all need investigation.

Compromise detection is about minimizing the damage, and the best way to do that is to block the activity as soon as you can and then investigate what is happening. You can always un-quarantine a host. What’s harder when a compromise happens is to get your sensitive data back. Fortunately, when you have visibility and context to block and investigate, you can get from post-boom to recovery as quickly as possible and a lot faster than 200 days.