What Is threat management?

Threat management

What is threat management?

Threat management is the process of detecting, preventing, and responding to cyberthreats. Effective threat management tools and procedures can help reduce the risk of cyberattacks.

View solutions

Why is threat management important?

As attackers adapt their methods to evade current defenses, managing and mitigating threats is vital for businesses. IT security professionals need threat management tools and practices to:

  • Protect critical data
  • Retain customer trust
  • Safeguard operations
  • Prevent costly insider threats and advanced cyberattacks

What challenges exist in threat management?

Some common challenges in managing threats include:

  • Lack of visibility in security systems on the network
  • Limited key performance indicator (KPI) insights and reporting
  • Skill shortage of cybersecurity professionals
  • Evolving cyberthreats like ransomware, phishing, and Distributed Denial of Service (DDoS) attacks
  • Malicious or negligent insider threats

What are some examples of common threat types?

The major types of cyberthreats are:

  • Intentional threats, such as phishing, spyware and malware, viruses, or denial-of-service (DoS) attacks carried out by bad actors
  • Unintentional threats often due to human error, like clicking on a malicious link or forgetting to update security software

What is an example of threat management?

Unified threat management (UTM) is a comprehensive cyberthreat management solution that protects a network and its users by combining multiple security features or services into one platform. These features can include application control, malware protection, URL filtering, threat intelligence, and more.

Product

Cisco Umbrella

Cisco Umbrella solution unifies internet, endpoint, and email security in one centralized, cloud-based security platform.

Webinar

How unifying security tools can streamline threat hunting

Discover how you can scale threat management while simplifying security operations.

Demo

Cisco Umbrella Demo

Watch the on-demand demo to discover how the Cisco Umbrella solution can help you block threats, reduce risk, and improve performance.

What's the difference between a threat, risk, and vulnerability?

Threat

Any potential to exploit a vulnerability and affect the confidentiality, integrity, or availability of assets is considered a threat in cybersecurity. An attempted phishing attack through a targeted email is an example of an intentional threat. However, an employee accessing corporate assets from an unsecured, public Wi-Fi network is an unintentional threat.

Vulnerability

A vulnerability is a weakness in a system, software, hardware, application, or procedure that an attacker can exploit. Vulnerability management involves patching known vulnerabilities before they can be exploited. An unpatched flaw can allow a threat actor to gain access to assets, install malware, damage data, or expose sensitive information to the public.

Risk

Risk in cybersecurity is the likelihood of a threat exploiting a vulnerability and the potential damage it could cause. Since it is impossible to eliminate risk, risk management aims to reduce an organization's cyber risk to a manageable level. Proactively patching vulnerabilities and mitigating threats are vital steps in this process.

Threat and vulnerability management explained

Reducing your business's risk of cyberattacks starts with threat and vulnerability management. Threat management focuses on monitoring for threats and responding to them, while vulnerability management helps fix system weaknesses before a threat can exploit them. Both strategies are crucial to mitigating cyber risk across an IT environment.

What are some effective ways to detect threats?

Signature-based detection

Signature-based detection relies on predefined patterns or signatures of known threats to identify threats and trigger an alert. This method can be effective for recognizing known threats but is less effective against unknown or evolving threats that lack matching signatures.

In the past, antivirus software relied on signatures to identify viruses, but malware authors have learned to avoid matching signatures with viruses. Today's next-generation malware solutions employ advanced technologies like behavior analysis, machine learning, sandboxing, and threat intelligence to detect and block threats.

Indicator-based detection

Indicator-based detection marks files or activity as safe or unsafe based on predefined indicators. Indicators of compromise (IOCs) are commonly used rules for indicator-based threat detection that act as digital clues and indicate malicious activity. IOCs are more effective paired with other detection methods.

Examples of IOCs are location irregularities, anomalies in Domain Name System (DNS) requests, large numbers of requests for the same file, and non-human web traffic behavior.

Modeling-based detection

Modeling defines a normal state through mathematical models and identifies any deviations over time. A well-trained model can be effective at identifying unknown threats, but this approach requires constant tuning.

For example, user entity behavior analytics (UEBA) and network behavioral anomaly detection (NBAD) are forms of threat detection that utilize modeling.

Threat behavior detection

Threat behavior detection identifies patterns of behavior commonly associated with malicious intent. It codifies attacker tradecraft and looks beyond specific indicators to flag actions that align with known attack tactics, techniques, and procedures (TTPs). Threat behavior analysis can capture a wide range of attack tactics, even as they evolve.

Example: An attacker's attempt to escalate privileges and move laterally within a network matches with common attack TTPs and triggers a threat behavior alert.

Threat intelligence

Global threat intelligence continuously gathers and analyzes data from diverse sources worldwide to identify emerging threats. This method detects threats by comparing current network activity to historical and global patterns, enabling rapid recognition of abnormal behaviors or IOCs.

For instance, by tracking unusual spikes in network traffic from multiple regions, this approach can uncover coordinated DDoS attacks or widespread malware outbreaks.

How does threat management work?

Many comprehensive threat management systems follow the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) to proactively manage cyberthreats and lower cyber risk. The primary functions are: identify assets, protect access, detect threats, respond to events, and recover activities. Learn how each step manages threats below.

Identify

The first step to cyber threat management requires a thorough inventory of the organization's critical assets and resources. This function helps you understand your business environment, supply chain, governance model, and asset management to identify vulnerabilities, threats, and risk to your assets.

Protect

The protect function involves implementing security tools, processes, and solutions to safeguard sensitive information and manage threats and vulnerabilities. This includes utilizing access controls, identity management, data backup and protection, vulnerability remediation, and user training.

Detect

The detect function uses threat detection tools to continuously monitor systems for potential threats so they can be remediated before a disaster occurs. Threat intelligence, threat hunting, user and behavior analytics, network monitoring, and endpoint monitoring are examples of threat detection tools that identify potential threats and enable quick responses.

Respond

When a security event is detected, the respond function helps teams execute the right procedure. It is important to create an incident response plan (IRP), test and improve the procedure, and communicate with stakeholders. Threat detection and response solutions can optimize the process by identifying threats and delivering automated responses.

Recover

The final step of threat management is restoring systems back to normal after an attack, breach, or other cybersecurity event. The IRP should include steps to swiftly restore data, systems, and operations to help ensure business continuity. Any lessons learned can be used to update the IRP for improved threat management and security resilience.

What are the types of threat management?

Unified threat management (UTM)

UTM security combines multiple network security features or services into a unified platform or appliance that can be managed on-premises or from the cloud. UTM cybersecurity features vary per vendor but often include a VPN, application visibility and control, malware protection, content and URL filtering, threat intelligence, and intrusion prevention systems (IPS).

Managed detection and response (MDR)

MDR  is a threat management service led by a team of skilled security experts who monitor security data 24/7 to rapidly detect and respond to threats. MDR solutions leverage advanced threat intelligence tools and human investigation to identify and contain threats faster for organizations.

Extended detection and response (XDR)

XDR solutions provide visibility into data across networks, clouds, endpoints, and applications. They employ analytics and automation to detect, analyze, hunt, and remediate immediate and potential threats.

Security information and event management (SIEM)

SIEM is a security tool that aggregates log and event data, threat intelligence, and security alerts. SIEM cybersecurity software applies customized rules to prioritize threat alerts, helping security professionals better interpret data and respond to events faster.

Security orchestration, automation, and response (SOAR)

SOAR is a technology stack that streamlines threat management. It automates processes, orchestrates security tools, and facilitates incident response. SOAR enhances efficiency by reducing manual tasks, accelerating incident resolution, and enabling better collaboration among security teams.

Vulnerability management (VM)

VM is a proactive component of threat management that aims to reduce the risk of exploits. VM solutions help identify, track, prioritize, and remediate security weaknesses and flaws in IT systems and software to reduce the risk of exploitation, data leakage, and cyberattacks.

Next-generation intrusion prevention system (NGIPS)

NGIPS delivers advanced threat defense by analyzing users, applications, devices, and vulnerabilities across the network, for on-premises devices, cloud infrastructure, and common hypervisors. NGIPS supports network segmentation, enforces cloud security, and prioritizes vulnerabilities for patching.

Advanced malware protection (AMP)

AMP is an antivirus software that defends against sophisticated malware threats. AMP protects computer systems by proactively identifying and blocking dangerous software viruses like spyware, worms, ransomware, Trojans, and adware.

Next-generation firewall (NGFW)

An NGFW is a network security device that enforces security policies on network traffic to allow traffic or block modern threats like application-layer attacks and advanced malware. A threat-focused NGFW offers added context awareness, dynamic remediation, and network and endpoint event correlation that reduce detection to recovery time.