Computer networks are often configured to incorporate network security systems in order to protect the networks against malicious activity. Such malicious activity can include, for example, deployment of malware that is utilized by attackers to create networks of compromised computers or “botnets.”
Network security systems can be designed to protect a computer network of a large enterprise comprising many thousands of host devices, also referred to herein as simply “hosts.” However, enterprise computer networks are in many cases continuously growing in size, and often incorporate a diverse array of host devices, including mobile telephones, laptop computers and tablet computers. This continuous growth can make it increasingly difficult to provide a desired level of protection using the limited resources of the network security system. For example, available network security system functionality such as processing of security alerts and deployment of attack remediation measures on host devices can be strained by the demands of large enterprise networks.
Moreover, recent years have seen the rise of increasingly sophisticated attacks including advanced persistent threats (APTs) which can pose severe risks to enterprises. These APTs are typically orchestrated by well-funded attackers using advanced tools to adapt to the victim environment while maintaining low profiles of activity. As a result, anti-virus software, firewalls, web proxies and other traditional security technologies typically deployed by enterprise network security systems today often fail at detecting and remediating malicious activity at a sufficiently early stage. To further complicate matters, the volume of alerts generated by these products quite often overwhelm the security staff who have no way of prioritizing or quickly weeding out false alarms.
Many enterprises are complementing the above-noted traditional defenses with manual analysis performed by incident response teams. For example, these enterprises may employ “hunters” to search for malicious activity that has evaded their automated security technologies. However, such arrangements are not scalable, both due to a lack of qualified people and the high rate at which malware is invading the enterprise.
Accordingly, there remains an unacceptably large gap between an attacker's “time-to-compromise” an enterprise computer network and a defender's “time-to-discover” the corresponding internal breach.