Sad but true, if your organization is a prime target for security threats, you should assume that your defenses have already been infiltrated by advanced attackers and it is only a matter of time until the theft or disruption begins. So besides securing your environment, security teams should have another goal, and that is detecting the advanced threats that have successfully penetrated their environment. Anomaly detection is receiving a lot of interest in this regard because it can find the “fingerprints” of an attack in progress.
In the struggle between IT security teams and criminal hackers, the opponents are equally matched in skills, knowledge, talent, creativity and motivation. But the bad guys have the advantage in an environment that relies on traditional (white list/black list or last-known threat) defenses. Why? One team is building defenses against the last-known threat, while the other is trying to develop new ways to get around those defenses. A great analogy is the situation of the TSA versus terrorists. Terrorists try to blow up a plane with liquid explosives and the TSA knows to pay close attention to liquids. Terrorists use shoe bombs and we have to take off our shoes to go through security. In the “last-known threat”-based security paradigm, the bad guy has the advantage of creating the new or unknown threat profile.
A Closer Look at the Target Security Breach: Target Did Receive Security Alerts