The issue was by no means detection
For the final decade, the security business has centered on detection. The emphasis has been on producing extra alerts, enhancing sign high quality and increasing protection. These efforts have been significant, however we’re approaching a saturation level. Regardless of continued progress in detection, defenders are nonetheless falling behind whereas attackers retain the benefit.
Based on CrowdStrike, lateral motion can now happen in a mean of simply 29 minutes. Inside that window, the distinction between understanding and uncertainty determines whether or not an incident is contained or escalates. Visibility stays vital, however the skill to maneuver by the OODA loop — perceive, orient, resolve and act — inside an more and more compressed time window issues extra.
Safety groups should not constrained by a scarcity of alerts or information; they’re constrained by a scarcity of solutions. Every alert initiates a course of that requires analysts to pivot throughout instruments, assemble fragmented context, reconstruct occasions and decide influence. This course of is basically time-bound and in most environments, it nonetheless takes hours.
Attackers function on a a lot shorter timeline, making a structural asymmetry that human-driven investigation can’t match. The business has not failed to enhance detection; it has misidentified the first constraint. Investigation velocity is the limiting issue.
