SANS: Detecting Malicious Activity in Large Enterprises

In this paper, our mission is to explore advanced threat detections at enterprise scale. We focus on techniques to scale organizational growth as well as the explosion in data available to security analysts today. Many detection techniques are rooted in yesterday’s logic, focused on single-source concepts or naively reduced to text searches. Think of an IP address, a web domain or a computed hash. These techniques worked—before. Today, however, attackers are quick to morph their malware, introduce new techniques and/or abuse organizations in ways previously unseen.