Why Your Detection-First Security Approach Isn’t Working

endpoint security

Stopping new and evasive threats is one of the biggest challenges in cyber security. This is one of the main reasons why attacks increased dramatically last year again, despite an estimated $172 billion being spent on global cyber security by 2022.

Armed with cloud-based tools and supported by sophisticated affiliate networks, threat actors can develop new and evasive malware faster than organizations can update their protections.

Relying on malware signatures and blocklists against these rapidly changing attacks has become futile. As a result, the SOC toolkit now largely revolves around threat detection and investigation. If an attacker can bypass your initial blocks, expect your tools to pick them up at some point in the attack chain. Every organization’s digital architecture is now seeded with security controls that log anything potentially malicious. Security analysts examine these logs and determine what to investigate further.

Does this work? Let’s look at the numbers:

  • 76% of security teams say they can’t meet their goals because they’re understaffed
  • 56% of attacks take months or more to discover
  • Attacks continue to grow: global cost of cybercrime expected to reach $10.5 trillion by 2025

Clearly something has to change. Detection technologies serve an important purpose and investing in them does not badbut it has certainly been over-emphasized.

Organizations need to re-prioritize threat prevention first, and that comes from the zero-trust leader, a model that basically assumes your prevention controls have already failed and are being actively breached at any given time .

The end point is just the starting point

While many security categories exemplify gaps in detection-first security strategies, let’s look at one popular category in particular: endpoint detection and response (EDR).

EDR adoption has grown like wildfire. It is already a $2 billion industry, growing at a CAGR of 25.3%. It makes sense: most attacks start at the endpoint, and if you detect them early in the attack chain, you minimize the impact. A good EDR solution also provides rich endpoint telemetry to help with investigations, compliance, and vulnerability discovery and closure.

Endpoint security is a valuable area to invest in and a critical component of zero trust, but it’s not the whole picture. Despite vendor claims of “broad” detection and response that unifies data across the enterprise, XDR solutions do not provide defense in depth on their own. EDRs have antivirus to stop known malware, but usually allow other traffic to pass, with analytics to detect what the AV has missed.

All tools have their flaws, and EDR is no exception, because:

Not all attacks start at the endpoint. The Internet is the new web, and most organizations have a wide range of data and applications stored in multiple clouds. They also frequently use devices such as VPNs and firewalls that can be routed from the Internet. Everything exposed is subject to attack. Zscaler ThreatLabz has found that 30% of SSL-based attacks are hidden in cloud-based file sharing services such as AWS, Google Drive, OneDrive and Dropbox.

Not all endpoints are managed. EDR relies on agents that are installed on all IT-managed devices, but that doesn’t account for the myriad scenarios where unmanaged endpoints can touch your data or networks: IoT and OT devices, personal endpoints (BYOD) used for work, third parties. -partners and contractors with access to data, recent mergers or acquisitions, even guests who come to your office to use Wi-Fi.

EDR is preventable. All security tools have their weaknesses, and EDR has been shown to be fairly easy to circumvent using a number of common techniques, such as exploiting system calls. Attackers use encryption and obfuscation techniques to automatically generate new PDFs, Microsoft 365 documents, and other files that can alter the malware’s fingerprint and bypass traditional cybersecurity models without detection.

Modern threats move very quickly. Today’s ransomware strains, almost all of which are available for purchase on the dark web for any would-be cybercriminal, can encrypt data too quickly for detection-based technologies to be useful. LockBit v3.0 can encrypt 25,000 files in a minute, and it’s not even the fastest ransomware out there. By contrast, the average time to detect and mitigate a breach has been measured at 280 days. That’s enough time for LockBit to encrypt over 10 billion files.

Put your security online

It is true that signature-based antivirus technologies are no longer sufficient to stop sophisticated attacks. But it’s also true that the same AI-based analytics behind detection technologies can (and should!) be used for prevention, not just detection, if delivered online . This prevention strategy should consider your entire infrastructure, not just your endpoints or any other part of your architecture.

A sandbox is a key example of a security tool that can be deployed in this way. Testboxes provide real-time protection against sophisticated and unknown threats by analyzing suspicious files and URLs in a secure and isolated environment. Deploying them inline (rather than as a step) means that a file is not allowed to continue until the solution has delivered a verdict.

The Zscaler Zero Trust Exchange platform includes a cloud-native proxy server that inspects all traffic, encrypted or not, to enable secure access. As a proxy, the platform’s layered controls, including the built-in advanced sandbox, are all provided online with a prevention-first approach.

Complementing your detection technologies with Zscaler’s cloud-native online sandbox gives you:

Real-time AI-powered protection against zero-day threats

Zscaler uses advanced machine learning algorithms that are continuously refined by the world’s largest security cloud, which processes more than 300 billion transactions per day. These algorithms analyze suspicious files and URLs in real time, detecting and blocking potential threats before they can cause damage.

This starts with a pre-filter analysis that checks the file content against more than 40 threat sources, antivirus signatures, hash blocklists, and YARA rules for known indicators of compromise (IOCs). By reducing the number of files required for deeper analysis, AI/ML models work more effectively. When a file remains unknown or suspicious after initial triage, Zscaler Sandbox detonates it to perform robust static, dynamic, and secondary analysis, including code and secondary payload analysis that detects advanced evasion techniques . Once completed, a report is generated with a threat score and an actionable verdict, blocking malicious and suspicious files based on policy settings.


One of the biggest selling points of the cloud is the ability to scale up or down quickly to meet the needs of organizations of all sizes. Security controls deployed in the cloud are naturally easier to provision and manage, giving your organization the flexibility to adapt to changing security needs.

Reduced costs

Cost is one of the main inputs that define many security strategies and comes in many forms: user productivity, operational efficiency, hardware costs, etc. But the most important cost to highlight is the cost of non-compliance. By preventing attacks, you eliminate downtime, reputational damage, lost business, and repair costs, all of which can easily add up to seven figures for a single attack. ESG found that the average organization using Zero Trust Exchange experiences a 65% reduction in malware, an 85% reduction in ransomware and a 27% reduction in data breaches, contributing to an overall ROI of 139% .

Comprehensive protection against threats

Zero Trust Exchange provides comprehensive threat prevention, detection and analysis capabilities, providing organizations with a uniform security control strategy across all locations, users and devices. Zscaler Sandbox can scan files anywhere, not just the endpoint, and integrates with a number of additional capabilities such as DNS security, browser isolation (for fileless attacks), data loss prevention, security applications and workload, deception and many others. This provides a comprehensive view of your organization’s security posture and the defense-in-depth that security teams strive for.

Prevention is the first

In the arms race against attackers, security teams must prioritize online security controls over transmission detection technologies. Files shouldn’t be allowed on endpoints or networks unless you’re sure they’re benign, because if they turn out to be malicious, you likely won’t discover them until after the damage is done.

To learn more about the Zscaler Zero Trust Exchange, visit

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
A detection-first security approach is a popular strategy amongst organizations, however it is not foolproof. With cyber threats rapidly rising, it is essential to move away from this outdated approach and take proactive security steps with a mitigation-first strategy. At Ikaroa, we understand how difficult it is for organizations to stay ahead of the cyber security curve. That is why we have created a suite of cutting-edge proactive cybersecurity solutions that enable organizations to pivot away from this detection-first approach to one that prioritizes security from the ground up.

In the age of malicious cyber-attacks, devoting resources towards a detection-first approach is reactive and time consuming. A detection-first approach does have its merits, however, when it comes to blocking malicious activity; it isn’t enough. Attackers have been known to create sophisticated threats that are able to evade detection, leaving organizations vulnerable. By switching to a mitigation-first approach, organizations can reduce their attack surface before attacks even occur.

At Ikaroa, we believe in having a layered defense that actively protects organizations from both known and unknown threats. Our Secure Content Platform implements continuous threat scanning, real-time monitoring and automated response protocols, blocking malicious threats before they can enter the system and cause harm. Especially in highly regulated environments, having a mitigation-first strategy is critical in ensuring that sensitive data is protected and regulatory requirements are met.

Creating a comprehensive security strategy is paramount to organizations, and in order to do so, it is essential to move away from a detection-first approach and invest in proactive security measures. Ikaroa’s Secure Content Platform offers organizations the next-level security and peace of mind. We empower organizations to be proactive in a rapidly evolving cyber security landscape, enabling them to protect their most critical systems and data.


Leave a Reply

Your email address will not be published. Required fields are marked *