Sergio Caltagirone and Robert M. Lee

There is a considerable amount of market confusion around the types of threat detection, how they are derived, and the uses for each. The purpose of this paper is to address those challenges by identifying the four types of threat detection and offering sample use-cases focused on industrial control system (ICS) and industrial internet of things (IIoT) environments.

Threat Detection: The Most Important Function

Threat detection plays an outsized role in cybersecurity as arguably the most important function in an “assume breach” world.

Threat detection comprises one of the three core cybersecurity functions, along with prevention and response. But, detection plays an outsized role as arguably the most important cybersecurity function in an “assume breach” world. Prevention is critical to reducing the noise from common threats, but sufficiently determined adversaries will always defeat prevention. Without detection, an adversary will dwell in an environment, achieving incredible freedom of movement enabling significant disruption at a time of their choosing. Good detection enables better response, and good response enables better prevention through root cause analysis.

Detection in industrial networks can help avoid significant financial impact to the organization, environmental impacts, loss of safety, or inappropriate response plans when a cyber component of the disruption is not understood. Historically, detection has been positioned in numerous ways, with a focus either on the type of threat that was being detected, like targeted threats versus cybercrime as an example; or in the tools and technologies used to facilitate the detection such as system information and event management (SIEM) rules, intrusion detection system (IDS) rules, machine learning models, and user-entity analytics. But, not all detection is equivalent or fits every scenario and application. Therefore, it’s best to match the detection to the application. The following sections provide guidance for defenders on detection types and their applications so threats can be found and defeated earlier.