Why Your Detection-First Security Approach Isn’t Working


Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why attacks increased dramatically in the past year yet again, despite the estimated $172 billion spent on global cybersecurity in 2022.

Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly than organizations can update their protections.

Relying on malware signatures and blocklists against these rapidly changing attacks has become futile. As a result, the SOC toolkit now largely revolves around threat detection and investigation. If an attacker can bypass your initial blocks, you expect your tools to pick them up at some point in the attack chain. Every organization’s digital architecture is now seeded with security controls that log anything potentially malicious. Security analysts pore through these logs and determine what to investigate further.

Does this work? Let’s look at the numbers:

  • 76% of security teams say that they can’t hit their goals because they’re understaffed
  • 56% of attacks take months—or longer—to discover
  • Attacks keep growing: the global cost of cybercrime is expected to reach $10.5 trillion by 2025

Clearly, something needs to change. Detection technologies serve an important purpose and investing in them isn’t wrong, but it has certainly been overemphasized.

Organizations need to get back to prioritizing threat prevention first and foremost—and this is coming from the leader in zero trust, a model that basically assumes your prevention controls have already failed and that you are actively being breached at any given time.

The endpoint is just the starting point

Although many security categories exemplify the gaps in detection-first security strategies, let’s look at one popular category in particular: endpoint detection and response (EDR).

EDR adoption has grown like wildfire. Already a $2 billion industry, it’s growing at a CAGR of 25.3%. It makes sense: most attacks start at the endpoint, and if you detect them early in the attack chain, you minimize the impact. A good EDR solution also provides rich endpoint telemetry to help with investigations, compliance, and finding and shutting down vulnerabilities.

Endpoint security is a valuable area to invest in—and a critical component of zero trust—but it’s not the whole picture. Despite vendor claims of “extended” detection and response that stitches together data across the enterprise, XDR solutions do not provide defense-in-depth on their own. EDRs have antivirus to stop known malware, but they typically allow all other traffic to pass through, counting on analytics to eventually detect what the AV missed.

All tools have their shortcomings, and EDR is no exception, because:

Not all attacks start at the endpoint. The Internet is the new network, and most organizations have a wide range of data and applications stored across various clouds. They also frequently use devices like VPNs and firewalls that are routable from the internet. Anything that is exposed is subject to an attack. Zscaler ThreatLabz has found that 30% of SSL-based attacks hide in cloud-based file-sharing services like AWS, Google Drive, OneDrive, and Dropbox.

Not all endpoints are managed. EDR relies on agents that are installed on every IT-managed device, but that doesn’t account for the myriad scenarios in which unmanaged endpoints may touch your data or networks: IoT and OT devices, personal (BYOD) endpoints used for work, third-party partners and contractors with access to data, recent mergers or acquisitions, even guests coming to your office to use Wi-Fi.

EDR can be bypassed. All security tools have their weaknesses, and EDR has proven to be fairly easy to evade using several common techniques, such as exploiting system calls. Attackers use encryption and obfuscation techniques to automatically generate new PDFs, Microsoft 365 documents, and other files that can alter the fingerprint of malware and bypass traditional cybersecurity models undetected.

Modern threats move really fast. Today’s ransomware strains, almost all available for purchase on the dark web for any would-be cybercriminals, can encrypt data far too quickly for detection-based technologies to be useful. LockBit v3.0 can encrypt 25,000 files in a minute, and it’s not even the fastest ransomware out there. Conversely, the average time to detect and mitigate a breach has been measured at 280 days. That’s enough time for LockBit to encrypt over 10 billion files.

Get your security in line

It’s true that signature-based antivirus technologies are no longer enough to stop sophisticated attacks. But it is also true that the same AI-powered analytics behind detection technologies can (and must!) be used for prevention, not just detection, if they’re delivered inline. This prevention strategy needs to account for your entire infrastructure, not just your endpoints or any other one part of your architecture.

A sandbox is a key example of a security tool that can be deployed in this way. Sandboxes provide real-time protection against sophisticated and unknown threats by analyzing suspicious files and URLs in a secure, isolated environment. Deploying them inline (rather than as a passthrough) means a file isn’t allowed to proceed until after the solution delivers a verdict.

The Zscaler Zero Trust Exchange platform includes a cloud-native proxy that inspects all traffic, encrypted or not, to enable secure access. As a proxy, the platform’s layered controls—including the integrated advanced sandbox—are all delivered inline with a prevention-first approach.

Supplementing your detection technologies with Zscaler’s cloud native inline sandbox gives you:

Real-time, AI-powered protection against zero-day threats

Zscaler uses advanced machine learning algorithms that are continually refined by the world’s largest security cloud, which processes more than 300 billion transactions per day. These algorithms analyze suspicious files and URLs in real time, detecting and blocking potential threats before they can cause damage.

This begins with a prefiltering analysis that checks the file’s content against 40+ threat feeds, antivirus signatures, hash blocklists, and YARA rules for known indicators of compromise (IOCs). By reducing the number of files needed for deeper analysis, AI/ML models perform more effectively. When a file remains unknown or suspicious after initial triage, Zscaler Sandbox detonates it to perform robust static, dynamic, and secondary analysis, including code and secondary payload analysis that detects advanced evasion techniques. Once complete, a report is generated with a threat score and actionable verdict, blocking malicious and suspicious files based on policy configurations.


One of the biggest selling points of the cloud is the ability to rapidly scale up or down to meet the needs of organizations of all sizes. Security controls deployed in the cloud are naturally easier to provision and manage, giving your organization the flexibility to adapt to changing security needs.

Reduced costs

Cost is one of the primary inputs defining many security strategies, and it comes in many forms: user productivity, operational efficiency, hardware costs, and so on. But the biggest cost of note is the cost of getting breached. By preventing attacks, you eliminate downtime, reputational damage, lost business, and remediation costs, all of which can easily add up to seven figures for a single attack. ESG found that the average organization using the Zero Trust Exchange experiences a 65% reduction in malware, an 85% reduction in ransomware, and a 27% reduction in data breaches, contributing to an overall ROI of 139%.

Comprehensive threat protection

The Zero Trust Exchange delivers comprehensive threat prevention, detection, and analysis capabilities, providing organizations with a uniform security control strategy across all locations, users, and devices. Zscaler Sandbox can analyze files anywhere, not just on the endpoint, and is integrated with a range of additional capabilities such as DNS security, browser isolation (for fileless attacks), data loss prevention, application and workload security, deception, and many others. This provides a complete view of your organization’s security posture and the defense-in-depth that security teams strive for.

Prevention comes in first

In the arms race against attackers, security teams need to prioritize inline security controls over passthrough detection technologies. Files shouldn’t be allowed onto endpoints or networks unless you’re certain they’re benign—because if they turn out to be malicious, chances are you won’t find out about them until after the damage is done.

If you’d like to learn more about the Zscaler Zero Trust Exchange, visit zscaler.com.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Cody Jinks Brings Out His Son Larson For Killer Performance Of “Hippies & Cowboys”
Luxury homes on these beaches are losing value fast, as effects of climate change hit hard
Chuck Schumer Says Democrats Are Ready To Pass Bump Stock Ban After SCOTUS Overturn
What You Need to Know
CEOs at Trump meeting: He was ‘meandering’