In the First World War, British soldiers faced a real threat – a 750-pound shell shot from behind enemy lines from an unseen attacker.
British intelligence analysts devised an innovative system of detection and response that included microphones recording sound blast waves and advanced math for triangulation. Calculations were performed by soldiers sitting in muddy trenches, using pencils, paper, and protractors. The result? While under attack, they spent more time investigating the threat than stopping the attacker.
Contemporary artillery detection systems, based on the same principles, offer far better visibility thanks to advances in automation. These modern systems automate correlation of acoustic data with global intelligence, including attacker patterns and global attacker activity, giving soldiers a simple point on the map of an impending attack
Cybersecurity has similarly had to evolve to address more sophisticated threats over the years. For instance, we started with signature-based detection technologies to stop payloads before execution and rules-based security like firewalls that blocked bad traffic.
Attacks then evolved in sophistication with the ability to evade signature-based protection. Detection and Response picked up where protection failed and using EDR, an analyst could manually determine if an endpoint, application or user activity looked suspicious. But analysts had to laboriously pore through suspicious activity data to pinpoint true threats. Like those WWI soldiers in the trenches, they toiled under attack to detect a threat – delaying any response. In retrospect, it marked a good first step – but it also led to badly overworked security teams.
That led to the emergence of SIEM, allowing analysts to better manage this data. But while protection, detection and monitoring solutions have proved effective, all these approaches are reactive, focused on the victim – either the device, the application or the user.
