Detection Alert vs Prevention Notification

Since the dawn of cyber warfare, security professionals needed to react to an event as a dreadful alert pushed to their management console, alerting of an ongoing attack or the result of it. As more and more attacks managed to sneak into the organization’s parameter, security teams found themselves chasing more and more alerts, in need to prioritize which is imminent, which is light and which is a false positive.

The age of NGAV

Understanding the lack of ability to stop advanced threats using signature based solutions as zero-day attacks grew rapidly, the cyber security industry was in search of new methods to detect and mitigate such attacks. These methods relied on ML (machine learning), AI (artificial intelligence), cloud based file detonation, behavioral detection and others to eventually try and stop the next attack without signatures or prior knowledge. This led to the birth of the Next-gen Antivirus which used new methods (ML, AI, etc.) alongside signature based and heuristics mechanisms to detect attacks.

The age of EDR

In 2013, the term EDR (Endpoint Detection & Response) was coined by Anton Chuvakin, a Gartner analyst who identified the change between the regular AV and later NGAV that organizations used, to the more advanced threat detection mechanism, relying on ML or AI to detect anomalies/abnormality in a file behavior and recognizing malicious patterns, thus giving defenders a more reliable way to identify threats and correlate information from different sources.

The problem? When not configured correctly or not complemented by other solutions (like EPP, patch management, etc.), the EDR created a lot of false positives and noise to the security teams which led them to chase alerts, trying to identify real attacks and drown in the number of events they had to handle.

The age of XDR

As security teams are in dire need of help going through the alerts, false positives & information such systems generate, correlate data between the systems and have better context to the attack. A new form of advanced EDR was introduced, XDR (Extended Detection and Response) which incorporates other technologies such as SOAR, SIEM & SOC and monitors other areas in the organization such as the network, cloud, etc. to help the security teams get a better picture of their battlefield. Although XDRs provide better visibility to the organizational environment, with automation & correlation & data fusion, it still leaves organizations protected by an EDR under the hood which is still bypassable by attackers, prone to the same data bias and errors, false-positives and other disadvantages.

The age of Prevention Notification

What if there was a way to identify real threats without the need to constantly chase ghosts? What if security or IT teams didn’t need to recover or remediate after a successful attack? Sounds like science fiction but this is very real, adding Active Endpoint Deception to the endpoint security stack allows security teams to reduce detection alerts and switch to prevention notification as the solution prevents attacks quickly in real time, doesn’t require signatures or pattern analysis and has high fidelity notifications as it relies on the same techniques malware is using to evade detection and to protect itself. This reduces the alert fatigue security teams face when handling more complex solutions but also allows SME/SMBs who cannot afford EDRs and managed detection services to monitor their environments constantly as there’s no need for that once an attack was prevented. 

Here is an example on how to achieve better prevention against Ransomware and other similar attacks.

Share via:


Request a free trial or send us a message

Let's get in touch

Request a demo or send us a message