The following is an excerpt from our recent whitepaper, “Why Traditional Cybersecurity Tools Cannot Defend Against Zero-Day and No Signature Attacks,” in which we dive into how traditional cybersecurity tools work, why this fundamentally limits them from being able to detect zero-day or previously unknown attacks, why the industry standard for breach detection is around six to eight months and how modern, contextually-aware AI overcomes the limitations of traditional cybersecurity solutions.
The Aggregation Model is Falling Short
Here’s how traditional categories of NTA, SIEM, XDR and UEBA usually operate:
- Aggregate historical information about network behavior.
- Normalize it for search and investigation.
- Write corresponding rules to trigger responses from the cybersecurity product.
- Run queries on a limited data set to detect anomalous behavior based on the aggregated historical behavioral insights.
At first glance, this may seem like a comprehensive approach, and in a bubble where only expected behavior occurs within limited data sets, it could be. In the real world, behavior and associated data is constantly changing and what’s acceptable one day could be anomalous the next (or vice versa).
Even if a dedicated team were to constantly input new rules, they could never fully capture the realities of a living, breathing modern network that might include hundreds or even thousands of connected BYOD devices, IoT sensors, server banks, cloud depositories…the list just keeps growing.
Significant Detection Delays Lead to Significant Data Losses
Geoff Coulehan, Head of Strategic Alliances for MixMode, points to the significant delay in informative analysis as the heart of the problem when it comes to zero-day attacks, including no signature attacks. Real-time threat detection is woefully lacking for the vast majority of solutions available on the current market.
Rules-based systems are not only limited because it’s a constant battle to keep rules updated. Rules themselves are underpinned by a dependency on known behaviors and signature-based detections.
“Aggregate and log information is alway out of date, and systems are exclusively looking for known signatures and behaviours,” Coulehan explains. “It begs the question: How then, even theoretically or conceptually, could one argue that these systems are effective in addressing zero-day attacks?”
Continue reading and download this whitepaper here: