Finally, cybersecurity tools got a major update, allowing them to do active scans of traffic and program execution, and determine any deviations from the normal patterns. Cybersecurity moved from signature-based detection to anomaly-based detection. For instance, firewalls were made to detect when servers were accepting multiple outside connections from new clients and at a higher rate than normal. This would be a sign that the connections were illegitimate and coming from a botnet. Therefore, such connections would be dropped. Many cybersecurity vendors came up with tools that could allow organizations to do real-time threat analysis, thus preventing attacks from unknown attack vectors.
Anomaly-based security tools also solved a significant problem that the cybersecurity industry was facing. This was the reporting of false positives. Initially, cybersecurity tools were just made to be more thorough in checking malicious programs and activities. It reached a point that they were so thorough, they were reporting harmless programs and activities as security threats. This was most common in network security tools, which were becoming highly inefficient in determining and separating actual threats from activities that had a small resemblance to threats. False positives were making the security tools unreliable. Network and security admins had to ignore many would-be threats, and sometimes, they would ignore legitimate threats in the process. The introduction of anomaly-based security tools ensured that the detected threats were real threats and needed to be stopped.
Anomaly-based security systems also led to growing ease of detection. Initially, cybersecurity tools had to check with many signatures, and this slowed down the performance of networks and systems. Anomaly-based tools did not have to refer to a signatures database. Instead, they did real-time analysis to check whether traffic or apps had abnormal behavior. Lastly, anomaly-based threats countered many social engineering attacks. On the network, these tools were capturing the packet headers to read origin and destination IP addresses and thus allow in traffic from known sources. Traffic from unknown sources was being subjected to thorough checks to find more details, such as whether the origin had been blacklisted or reported by other security tools to be malicious.
The main limitation of anomaly-based detection was that humans had to be involved in making key decisions. Therefore, tools with these capabilities were more hands-on than autonomous. Enterprises did not have enough workers to tend to all the alerts that these systems were sending that needed human intervention. Therefore, the cybersecurity industry decided to further improve these solutions to make them more accurate and autonomous. A lot of research was done on ML and AI. Today, cybersecurity companies are increasingly considering adding ML and AI into their cybersecurity products. The future is expected to be dominated by such products.