• United States




How to stop threats before they hit your network

Apr 23, 20184 mins
Network SecuritySecurity

The beauty of anomaly detection

virus detection
Credit: Thinkstock

In today’s IT environment, endpoint monitoring is fairly standard procedure. Most organizations have at least some sort of system in place allowing them to monitor firewalls and collect network usage data. But, by the time they’ve finished parsing that data to identify potential problems, it may well have already escalated to critical proportions.

By relying exclusively on endpoint monitoring, organizations risk missing insights into overall network behavior. Flipping the script from reactive security to more proactive measures requires organizations to implement solid anomaly detection methods, including by incorporating software that automatically detects, alerts and responds to network anomalies.

Building a baseline

Machines, users and data all have behavioral patterns that can be observed, mapped and monitored. By using this information to create a baseline, IT can proactively look for warning signs, i.e., deviations from expected activity.

For example, if a user who usually accesses only a few key folders is found suddenly downloading hundreds of gigabytes of company data, anomaly detection will raise a red flag. The alert gives IT time to determine whether a given activity is an authorized procedure or potentially malicious. No one wants an employee sneaking sensitive data offsite—something that anomaly detection can help prevent.

Automation and response

Anomaly detection software is like air traffic control for your network. Instead of examining individual endpoints, anomaly detection monitors the data stream across all endpoints. Not only does anomaly detection software help to identify patterns, but it can also take predetermined action when specific conditions are met.

When IT professionals sort through logs to manually identify problems, they’re almost inevitably going to discover them too late. There may be some easy indicators to pick up on, like sudden spikes in data sent off-site, but it’s often difficult to pinpoint a lower-laying threat. Even when there are multiple events pointing to a breach, they may not be frequent enough or widespread enough to set off alarms. By the time a breach is discovered, IT is diagnosing the scope and impact of the attack, instead of figuring out how to stop it in the first place.

That’s why it’s so vital to have the ability to monitor east-west data flows, and not just rely on a firewall to monitor the northbound-southbound flows, which is often the case. When a virus gains traction and spreads through a network, it tends to move laterally. Anomaly detection software can detect even discrete patterns and quickly sandbox a user for suspicious activity, preventing any chance that a virus could spread.

Collective protection

Community sharing is a benefit of anomaly detection that is often overlooked. Since applications that provide anomaly detection generally have wide install bases, they can source information from anywhere within their install base on emerging threats and compile the signatures in an always-growing database for their customers.

Since most new threats are variations of known pieces of malware, anomaly detection has an uncanny ability to identify the vast majority of potential attacks through crowdsourcing. The only situation where community sharing tends to fall short is when there’s an entirely new threat with different traits or characteristics than ever before seen, i.e., the zero-day attack. Even then, when one organization falls prey to the threat, it will be assigned a signature and shared with the rest of the base so no one else has to be vulnerable.

Acting before disaster

Despite the tremendous benefits, integrating anomaly detection can be difficult. It’s often a hard sell for CSOs who are inevitably busy juggling other security and process demands. Moreover, they often don’t know the full capabilities of the many available solutions. Consequently, they often wait until after an incident or a failed audit to incorporate a solution capable of anomaly detection into their security stack.

But data security isn’t a “better late than never” situation. To be useful, it needs to be implemented before disaster strikes. This means designing and implementing the initial IT stack with security integrated from inception, knowing that it will grant the kind of unparalleled network visibility that should be standard security practice and policy.

Anomaly detection will bring any organization’s security capabilities to the next level. From locating and acting on insider threats, to collectively sharing new attack signatures, the capabilities are astounding. Too many organizations needlessly fall victim to known attacks and preventable problems. With anomaly detection capabilities, IT security is one step closer to stopping threats dead in their tracks, before the malware spreads or their data walks out the front door.


Pete Burke is a security and borderless networks technical consultant at Sirius Federal. He advises federal technology buyers on the solutions that best fit their needs. Pete has previously worked at Gemalto and Philips Healthcare.

Pete can be reached online via Sirius Federal's company website.

The opinions expressed in this blog are those of Pete Burke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author