Your quick guide to business-level threat detection

The online tech periodical Engadget dubbed 2018 “the year security slips, privacy fails and outright stupidity went from bad to surreal.” Granted, that’s scathing. Unfortunately, it’s also true in many ways.

In 2018, 58% of malware attacks were aimed specifically at SMBs. 50% of users were happy to click on links in email, making phishing an epic (and continuing) problem. And companies took an agonizing 191 days to identify breaches.

That last one is particularly troubling. No one wants to experience a data breach. But if your network falls prey to a cyberattack and you are breached, you want to know about it as soon as possible.

That’s where threat detection comes into play.

How does threat detection fit into your cybersecurity plan?

Cybersecurity is often talked about as if it’s one thing. In very broad terms, the goal of cybersecurity is to protect your data. However, making that goal a reality actually involves three distinct ingredients.

Proactive prevention

There’s no mystery here. Prevention is exactly what it sounds like—and the most well-known component of a well-rounded cybersecurity plan.

This is why your computer has antivirus software and why your network has a firewall. The idea is to stop malware before it has a chance to infect your system. After all, you don’t have to decide whether or not to pay off a cybercriminal if ransomware never makes it onto your system.

In a perfect world, this is all cybersecurity would be. Unfortunately, even the best cybersecurity strategy possible can’t take into account every new method cybercriminals dream up. At some point, something’s going to slip past your defenses.

It’s practically a given.


“Billions of people were affected by data breaches and cyberattacks in 2018—765 million in the months of April, May and June alone—with losses surpassing tens of millions of dollars . . .”

USA Today

Threat detection

Okay, so malware makes it onto your system. What happens then? Brace yourself. This is where things get ugly.

Nothing. Or at least, nothing good—until you find it.

Once a virus makes its way onto your network, the cybercriminal’s job is just starting. Yes, they need access, but access isn’t data, and they’re after your data. The longer they can remain hidden in your system, the more of your data they can collect.

Consider this chilling example. The WannaCry ransomware attack happened nearly two years ago, in May of 2017. And yet, it’s estimated the virus remains dormant on thousands of computers, putting businesses all over the world at continued risk simply because the threat hasn’t been detected.

In other words, if you don’t have good threat detection, you could be losing data right now and you wouldn’t even know it.

Incident response

The final piece of the cybersecurity puzzle is incident response. If your business is attacked and you detect the threat, you then have to do something about it. And how you respond is important.

We’ll be candid. This really does warrant a professional cybersecurity expert. Incident response has the potential to be complex, confusing and far more involved than you might think. It’s not just about data recovery, though that’s clearly important. There are also legal matters to consider.

Do you want to risk destroying evidence and letting cybercriminals off scot-free? Of course not.

Let an expert handle incident response. You’ll be glad you did.


“. . . companies are better-served by going back to the basics, starting with proper training and planning of cyber defenses rather than rushing out to buy the shiniest new technology on the market.”


The types of threat detection

Now that we’ve covered cybersecurity at a high level, let’s take a deeper dive into threat detection. Like the broader topic of cybersecurity, it comes in several different flavors.

That’s because there are a variety of symptoms your network may exhibit that indicate a potential breach. And “symptoms” is the right word. When a doctor checks your vitals, he’s looking for any indication that something is off. Threat detection is basically the same thing for your business network.

Here are the four types of threat detection a cybersecurity pro will take into account.


Configuration-based detection is focused on the connections within your network. If one device on your network (your laptop, for example) suddenly starts communicating with a device outside of your network over a rarely-used port, that could be indicative of malicious activity.

When something suddenly, unexpectedly changes on a part of your network that’s normally static, configuration-based detection should notice it.


Modeling-based detection is like the next evolution of configuration-based detection. It’s looking for essentially the same thing—unusual activity on your network. The key difference here is that modeling-based detection is driven entirely by math.

In simple terms, a program watches your network and pays attention to how things are when everything’s normal. Once a baseline is established, a modeling-based detection tool will alert your cybersecurity team if things deviate from the expected baseline.


“One of the most difficult tasks for cybersecurity researchers is determining who was behind a breach or coordinated attack.”



Configuration-based and modeling-based detection are there to make you aware of symptoms. Indicator-based detection is there to drill a little deeper, isolating the nature of the threat.

Analysts use indicator-based detection to follow-up after the presence of a threat has been signaled. It’s great for confirming a threat and determining exactly what the threat is. But it needs to be paired with one or both of the previous two kinds of detection to really be useful.

Threat Behavior

Threat behavior detection attempts to identify behaviors that look legitimate at first glance but are actually malicious in nature. Well-coded malware flies under the radar by tricking your initial cybersecurity tools into believing it’s a legitimate application doing legitimate, safe things.

Threat behavior detection is an effective way to catch more subtle threats, but it takes time and cannot be automated. As a result, like indicator-based detection, it’s not a good stand-alone tool.

Which type of threat detection is best?

There’s no easy answer to that question as each type of threat detection is designed to identify different kinds of threats. When malware makes it past one, there’s a good chance another will catch it. Just as you wouldn’t want your doctor to measure your blood pressure but ignore all other vitals, you don’t want to take a narrow view of your cybersecurity strategy.

The best approach is a blended approach.

Old scroll

“46% of orgs never change cybersecurity strategy, even after attack or breach.”


And here’s what that means for SMB leaders looking to maintain healthy, secure business networks. When you talk to your cybersecurity partner, make sure they use multiple layers of security and multiple types of threat detection to keep you safe.

You don’t have to become a cybersecurity expert, yourself. In fact, just reading this article has given you a better understanding of everything that goes into cybersecurity than most business leaders have. But you should make sure your cybersecurity provider is an expert.

Ask questions. Invasive questions. If they focus on prevention, dig deeper. Ask about threat detection and incident response. The only way to be sure you have well-rounded, complete protection is to ask the right questions.

And now you know where to start.