spot the threat

How to Overcome Threat Detection and Response Challenges

In this Expert Insight, Jack Naglieri, the founder and CEO of Panther Labs, talks about the many challenges of enterprise-scale threat detection and response. Jack provides some steps organizations can take to prepare themselves for the future.


Data is the fuel for twenty-first-century business. Advancements in science, healthcare, education, and technology revolve around gathering, analyzing, and exploiting massive amounts of data. As with all opportunities, these also come with additional risks in new threats and vulnerabilities.

This article will examine some of the challenges of detecting threats and automating responses in a world that is ever more dependent on big data.

The Challenges of High-Scale Threat Detection & Response Today

The challenges faced by today’s threat detection and response solutions stem mainly from their origins. Detection systems commonly used today were never intended to be applied as threat detection and response tools. They were built as general-purpose logging solutions.

Jack Naglieri is the Founder and CEO of Panther Labs
Jack is the founder and CEO of Panther Labs.

Practitioners have modified these log analytics tools for their security purposes. This adaptation was necessary because legacy SIEM solutions could not deliver the scale and flexibility needed in today’s data-intensive and threat-laden business environment.

Log analytics and SIEM tools do only the bare minimum to help security teams get the data they need. Teams must find ways to get the required data and build reliable, fault-tolerant, and elastic information processing pipelines to handle it.

As a stopgap or workaround measure, security practitioners end up building hybrid solutions based on internal systems and pipelines, an augmented version of the log analytics or SIEM tools, or entirely from scratch.

Another challenge shared across all aspects of the cybersecurity field is that security teams are often small, understaffed, and underfunded. Additionally, they are generally not experienced in DevOps or software engineering. The lack of specialized engineering skills can be troublesome as practitioners are forced into patching together custom solutions.

Typical of other security industry publications, in May of 2021, Help Net Security asserted that 61% of cybersecurity teams reported being understaffed. Of those surveyed, 55% said they have unfilled cybersecurity positions, and half said their applicants are not well qualified.

Important Relevant Trends in Threat Detection and Response

Given the current global cybersecurity skills gap, hiring well-trained cybersecurity specialists is not easy. Many enterprises look to cloud technologies that allow them to run a lean and mean cybersecurity team to combat this skills shortage. Also, by conducting prioritized risk assessments, companies can determine which digital assets are the most critical and allocate resources accordingly.

Data Lakes

Data lakes store massive amounts of data. Users can save structured, semi-structured, or unstructured data without imposing a schema on it until it needs to be read. Data lakes can store all data types, including video, images, audio, and text.

Data scientists, businesses, AI researchers, and others are attracted to this big data technology because of the lower cost and increased agility over databases or data warehouses. High agility makes it simple for data developers and scientists to configure and reconfigure data models, queries, and applications.

Big data technologies, including data lakes, are relatively new, and therefore, the technologies needed to protect them are still developing. Because there is no schema-on-write processing, applying legacy data protection technologies to data lakes is troublesome.

To analyze security data, practitioners need enough structure around it to query fields, such as IP addresses, domains, usernames, and emails across all data. This process requires parsing, normalizing, and storing in an efficient and compressed format.

Detections-as-Code

Detections-as-Code is a flexible and structured approach to analyzing security log data used to identify attacker behaviors. Using software engineering best practices to write expressive threat detections and automate responses, security teams can build scalable processes to identify sophisticated threats across rapidly expanding environments.

Every environment is different, and as a result, requires a different set of techniques for detections. Security teams need to create custom-tailored rules to adequately test, version, and programmatically manage version control. The flexibility and robust nature of full programming languages enable teams to detect either advanced or straightforward behaviors in addition to context fetching, enriching, and telling the whole story of what happened.

Automating the Response of Security Alerts

Automated processes that respond to low-level security events and standardized remediation procedures are critical for security analysts. These automation platforms enable practitioners to run lean, focus their expertise on more pressing matters, and reap the benefits of predictable remediation actions.

Security analysts and engineers benefit when a company deploys a security automation platform. A reduction in repetitive work, fewer false positives to chase down, and a lower volume of alerts requiring investigation enable them to devote time toward more meaningful work.

A modern threat detection and response platform should be easily configurable to forward alerts to automation for acting. This configuration helps scale detection programs by pinging users, opening cases, or preventing unnecessary alerts from reaching the security team.

The Shift to Containers, Serverless, and Cloud Services

The increasingly familiar “as a service” business model continues to increase, largely thanks to the surge in cloud computing. Serverless and containers are two “as a service” technologies that have seen a significant rise in adoption in the last few years.

While they differ in what they do and how they do it, both serverless and containers share a common goal. They are designed to use abstraction to make it easier for users to streamline applications. These technologies ensure that, once production-ready, code can be deployed and scaled. They are vital to continuous integration/continuous delivery (CI/CD) workflows.

Cloud services continually move up the infrastructure stack to simplify and abstract extraordinarily complex concepts like pub-sub, container orchestration, queueing, and more. As this shift happens, security teams need to continually ensure they gather the related datasets to stay informed and instill tight controls to prevent accidental data or system exposure.

Combining Signals from Many Tools

There are many security tools and services to choose from today, and each of them brings unique value and perspective to a detection program. Compromising by settling on only a few “most valuable” solutions can leave a business vulnerable.

Security teams should take a monitoring-in-depth approach and forward these disparate data streams into a single, scalable location normalized for detection and investigations. After all, detection is about having high confidence that something is amiss, so the more signals we have supporting specific claims, the better.

The Future is Bright — For Those Who Evolve

Each of the trends discussed here represents enormous opportunities for science, healthcare, education, and technology. Undoubtedly, the next ten years will outpace the last decade in technological advancements. Along with those opportunities come risks, threats, and vulnerabilities — opportunities themselves for those willing to embrace these new-world problems.


(*) Disclosure: This article was sponsored by Panther Labs. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.