An old deception approach, called a honey pot, is coming back into vogue in networks inside some security groups, he said. "Research organizations and some managed service providers will try to lure [attackers] in to see what attacks are being used. We have seen a lot of renewed interest in deception technology, although there's not yet mainstream adoption."
Last fall, computer scientists at Penn State University described a decoy network approach to help deflect a hacker's hits. The researchers created a computer defense system that senses possible malicious probes of the network. Then, attacks were redirected with a network device called a reflector to a virtual network which contained only hints of the real network. The researchers simulated the attack and the defense without using an actual network but plan to deploy it in an actual network.
Detection software usually works by digging up anomalous behaviors. The most evolved detection systems work from a baseline of normal activity on a network or server, computer or other endpoint device, Litan said.
A profile of normal behaviors by users, the amount and type of data transmitted in a system and other network activity are constantly compared with ongoing transactions using advanced analytics, she said.
"These approaches might even look at a user's activity relative to his colleagues to see if he's doing something unusual," she said. Recently, some security vendors have begun using machine learning to bolster the analytics.
Here's one example of how detection analytics might work: A procurement request made at 3 a.m. in Singapore by an employee based in London could be flagged as questionable. But the security system could check a corporate travel app and see that the employee had a flight and hotel booked in Singapore and then approve the procurement.
Or, a totally different result might occur, depending on corporate policies, such as requiring a manager's approval for the procurement.
Detection products are abundant and are being updated with the newest technology by nearly every security vendor, analysts said. "There are well over a hundred vendors in this space, including all the major names like McAfee, Cisco and Symantec, down to newer ones like Phantom," Ayoub said.
These products are deployed in the U.S. mainly by large banks, retailers, technology and defense-related companies, Litan said. Small and mid-tier companies have the option of hiring a managed service provider to provide detection services as part of a larger package of security products. Such service providers include large telecommunications companies, but also smaller cybersecurity firms like Cybereason and Crowdstrike, among others.
Gartner divides the detection technologies used by enterprises into three relatively new markets that incorporate advanced analytics. Endpoint [threat] detection and response (EDR) was more than a $600 million market in the U.S. in 2016. User and entity behavior analytics (UEBA) was a $100 million market last year. Network traffic analysis (NTA) is a third new area, but Gartner didn't provide an estimate for the size of that market.
Sign up for CIO Asia eNewsletters.