Anomaly detection can be powerful in spotting cyber incidents, but experts say CISOs should balance traditional signature-based detection with more bespoke methods that can identify malicious activity based on outlier signals.
Anomaly detection is an analytic process for identifying points of data or events that deviate significantly from established patterns of behavior. In cybersecurity, anomaly detection is one of the top defensive skills organizations should consider fine-tuning to ensure they can detect and remedy adverse cyber events quickly before they take root and proliferate.
The concept of anomaly detection in cybersecurity was introduced by mathematician Dorothy Denning — who also pioneered the idea of encryption lattices — in a landmark 1987 paper entitled “An Intrusion-Detection Model.” Since then, infosec practitioners and cybersecurity vendors have incorporated Denning’s concepts into their defense techniques, practices, and products.
“Anomaly detection is the holy grail of cyber detection where, if you do it right, you don’t need to know a priori the bad thing that you’re looking for,” Bruce Potter, CEO and founder of Turngate, tells CSO. “It’ll just show up because it doesn’t look like anything else or doesn’t look like it’s supposed to. People have been tilting at that windmill for a long time, since the 1980s, trying to figure out what normal is so they can look for deviations from it to find all the bad things happening in their enterprises.”
The challenge for CISOs now is to know and understand where adverse events are already getting detected in their existing mix of security vendor products. Then, if appropriate, CISOs should consider elevating their anomaly detection game to give their security teams even greater power to detect troubling trends, all while shielding them from alert fatigue.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
