What Is threat management?

Threat management

What is threat management?

Threat management is the process of detecting, preventing and responding to cyberthreats. Effective threat management tools and procedures can help reduce the risk of cyberattacks.

View solutions

Why is threat management important?

As attackers adapt their methods to evade current defences, managing and mitigating threats is vital for businesses. IT security professionals need threat management tools and practices to:

  • Protect critical data
  • Retain customer trust
  • Safeguard operations
  • Prevent costly insider threats and advanced cyberattacks

What challenges exist in threat management?

Some common challenges in managing threats include:

  • Lack of visibility in security systems on the network
  • Limited key performance indicator (KPI) insights and reporting
  • Skill shortage of cybersecurity professionals
  • Evolving cyberthreats like ransomware, phishing and Distributed Denial of Service (DDoS) attacks
  • Malicious or negligent insider threats

What are some examples of common threat types?

The major types of cyberthreats are:

  • Intentional threats, such as phishing, spyware and malware, viruses or denial-of-service (DoS) attacks carried out by bad actors
  • Unintentional threats often due to human error, like clicking on a malicious link or forgetting to update security software

What is an example of threat management?

Unified threat management (UTM) is a comprehensive cyberthreat management solution that protects a network and its users by combining multiple security features or services into one platform. These features can include application control, malware protection, URL filtering, threat intelligence and more.

Product

Cisco Umbrella

Cisco Umbrella solution unifies internet, endpoint and email security in one centralised, cloud-based security platform.

Webinar

How unifying security tools can streamline threat hunting

Discover how you can scale threat management while simplifying security operations.

Demo

Cisco Umbrella Demo

Watch the on-demand demo to discover how the Cisco Umbrella solution can help you block threats, reduce risk and improve performance.

What's the difference between a threat, risk and vulnerability?

Threat

Any potential to exploit a vulnerability and affect the confidentiality, integrity or availability of assets is considered a threat in cybersecurity. An attempted phishing attack through a targeted email is an example of an intentional threat. However, an employee accessing corporate assets from an unsecured, public Wi-Fi network is an unintentional threat.

Vulnerability

A vulnerability is a weakness in a system, software, hardware, application or procedure that an attacker can exploit. Vulnerability management involves patching known vulnerabilities before they can be exploited. An unpatched flaw can allow a threat actor to gain access to assets, install malware, damage data or expose sensitive information to the public.

Risk

Risk in cybersecurity is the likelihood of a threat exploiting a vulnerability and the potential damage it could cause. Since it is impossible to eliminate risk, risk management aims to reduce an organisation's cyber risk to a manageable level. Proactively patching vulnerabilities and mitigating threats are vital steps in this process.

Threat and vulnerability management explained

Reducing your business's risk of cyberattacks starts with threat and vulnerability management. Threat management focuses on monitoring for threats and responding to them, while vulnerability management helps fix system weaknesses before a threat can exploit them. Both strategies are crucial to mitigating cyber risk across an IT environment.

What are some effective ways to detect threats?

Signature-based detection

Signature-based detection relies on predefined patterns or signatures of known threats to identify threats and trigger an alert. This method can be effective for recognising known threats but is less effective against unknown or evolving threats that lack matching signatures.

In the past, antivirus software relied on signatures to identify viruses, but malware authors have learned to avoid matching signatures with viruses. Today's next-generation malware solutions employ advanced technologies like behaviour analysis, machine learning, sandboxing and threat intelligence to detect and block threats.

Indicator-based detection

Indicator-based detection marks files or activity as safe or unsafe based on predefined indicators. Indicators of compromise (IOCs) are commonly used rules for indicator-based threat detection that act as digital clues and indicate malicious activity. IOCs are more effective paired with other detection methods.

Examples of IOCs are location irregularities, anomalies in Domain Name System (DNS) requests, large numbers of requests for the same file and non-human web traffic behaviour.

Modelling-based detection

Modelling defines a normal state through mathematical models and identifies any deviations over time. A well-trained model can be effective at identifying unknown threats, but this approach requires constant tuning.

For example, user entity behaviour analytics (UEBA) and network behavioural anomaly detection (NBAD) are forms of threat detection that utilise modelling.

Threat behaviour detection

Threat behaviour detection identifies patterns of behaviour commonly associated with malicious intent. It codifies attacker tradecraft and looks beyond specific indicators to flag actions that align with known attack tactics, techniques and procedures (TTPs). Threat behaviour analysis can capture a wide range of attack tactics, even as they evolve.

Example: An attacker's attempt to escalate privileges and move laterally within a network matches with common attack TTPs and triggers a threat behaviour alert.

Threat intelligence

Global threat intelligence continuously gathers and analyses data from diverse sources worldwide to identify emerging threats. This method detects threats by comparing current network activity to historical and global patterns, enabling rapid recognition of abnormal behaviours or IOCs.

For instance, by tracking unusual spikes in network traffic from multiple regions, this approach can uncover coordinated DDoS attacks or widespread malware outbreaks.

How does threat management work?

Many comprehensive threat management systems follow the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) to proactively manage cyberthreats and lower cyber risk. The primary functions are: identify assets, protect access, detect threats, respond to events and recover activities. Learn how each step manages threats below.

Identify

The first step to cyber threat management requires a thorough inventory of the organisation's critical assets and resources. This function helps you understand your business environment, supply chain, governance model and asset management to identify vulnerabilities, threats and risk to your assets.

Protect

The protect function involves implementing security tools, processes and solutions to safeguard sensitive information and manage threats and vulnerabilities. This includes utilising access controls, identity management, data backup and protection, vulnerability remediation and user training.

Detect

The detect function uses threat detection tools to continuously monitor systems for potential threats so they can be remediated before a disaster occurs. Threat intelligence, threat hunting, user and behaviour analytics, network monitoring and endpoint monitoring are examples of threat detection tools that identify potential threats and enable quick responses.

Respond

When a security event is detected, the respond function helps teams execute the right procedure. It is important to create an incident response plan (IRP), test and improve the procedure, and communicate with stakeholders. Threat detection and response solutions can optimise the process by identifying threats and delivering automated responses.

Recover

The final step of threat management is restoring systems back to normal after an attack, breach or other cybersecurity event. The IRP should include steps to swiftly restore data, systems and operations to help ensure business continuity. Any lessons learned can be used to update the IRP for improved threat management and security resilience.

What are the types of threat management?

Unified threat management (UTM)

UTM security combines multiple network security features or services into a unified platform or appliance that can be managed on-premises or from the cloud. UTM cybersecurity features vary per vendor but often include a VPN, application visibility and control, malware protection, content and URL filtering, threat intelligence and intrusion prevention systems (IPS).

Managed detection and response (MDR)

MDR  is a threat management service led by a team of skilled security experts who monitor security data 24/7 to rapidly detect and respond to threats. MDR solutions leverage advanced threat intelligence tools and human investigation to identify and contain threats faster for organisations.

Extended detection and response (XDR)

XDR solutions provide visibility into data across networks, clouds, endpoints and applications. They employ analytics and automation to detect, analyse, hunt and remediate immediate and potential threats.

Security information and event management (SIEM)

SIEM is a security tool that aggregates log and event data, threat intelligence and security alerts. SIEM cybersecurity software applies customised rules to prioritise threat alerts, helping security professionals better interpret data and respond to events faster.

Security orchestration, automation and response (SOAR)

SOAR is a technology stack that streamlines threat management. It automates processes, orchestrates security tools and facilitates incident response. SOAR enhances efficiency by reducing manual tasks, accelerating incident resolution and enabling better collaboration among security teams.

Vulnerability management (VM)

VM is a proactive component of threat management that aims to reduce the risk of exploits. VM solutions help identify, track, prioritise and remediate security weaknesses and flaws in IT systems and software to reduce the risk of exploitation, data leakage and cyberattacks.

Next-generation intrusion prevention system (NGIPS)

NGIPS delivers advanced threat defence by analysing users, applications, devices and vulnerabilities across the network, for on-premises devices, cloud infrastructure and common hypervisors. NGIPS supports network segmentation, enforces cloud security and prioritises vulnerabilities for patching.

Advanced malware protection (AMP)

AMP is an antivirus software that defends against sophisticated malware threats. AMP protects computer systems by proactively identifying and blocking dangerous software viruses like spyware, worms, ransomware, Trojans and adware.

Next-generation firewall (NGFW)

An NGFW is a network security device that enforces security policies on network traffic to allow traffic or block modern threats like application-layer attacks and advanced malware. A threat-focused NGFW offers added context awareness, dynamic remediation and network and endpoint event correlation that reduce detection to recovery time.