Detection vs Determinsim

Why Cybersecurity Evolved Around Detection And Why A Different Approach Is Emerging


Modern cybersecurity did not arrive at its current state by accident.


For more than two decades, organisations have faced a relentless cycle of new vulnerabilities, evolving attack techniques and increasingly sophisticated threat actors. As digital systems became more interconnected and businesses grew more dependent upon technology, the security industry responded by investing heavily in visibility.


The objective was both logical and necessary. If attackers could not always be prevented from gaining access, organisations needed the ability to identify malicious activity quickly, understand what was happening and respond before significant damage occurred.


This philosophy gave rise to many of the technologies that define modern cybersecurity today:

 Antivirus platforms evolved into Endpoint Detection and Response (EDR),

 Security Information and Event Management (SIEM) systems aggregated and analysed vast quantities of data,

 Threat intelligence services collected information on emerging adversaries,

 Security Operations Centres were established to investigate alerts and coordinate incident response.


Collectively, these technologies transformed organisational visibility. Security teams can now see more data than ever before. They can identify indicators of compromise more rapidly, investigate incidents more efficiently and coordinate responses at a scale that would have been impossible only a decade ago. Yet despite these advances, the volume, sophistication and financial impact of cyberattacks continues to increase.

Every Cyberattack

Must Execute

Regardless of how it is created, an attack cannot succeed without execution.

Visibility Does Not

Equal Control

Modern security tools provide unprecedented visibility, but visibility alone cannot prevent unauthorised execution.

Infinite attack variants.

One execution point.

Attack techniques may constantly evolve, but every attack must ultimately execute to succeed.

USD 4.88M

Average total cost of a breach

292 DAYS

to identify and contain breaches

46%

Share of breaches involving customer personal data

USD 830,000

Largest average cost increase among all industries


According to IBM's Cost of a Data Breach Report, organisations still spend many months identifying and containing breaches. Meanwhile, ransomware continues to disrupt critical services, supply chain attacks continue to affect trusted software ecosystems and Artificial Intelligence is accelerating the creation and variation of malicious code.

 

This is not a failure of detection technologies. It is a consequence of the problem they were designed to solve.


Detection technologies operate once activity has already begun. Their purpose is to recognise, investigate and respond to events occurring within the environment. Success is measured by how quickly compromise can be identified, how accurately it can be understood and how effectively damage can be contained.


The underlying assumption is that attackers may eventually gain access and that security teams must be prepared to detect and respond when they do.


Deterministic approaches begin from a different premise.


Rather than focusing on recognising malicious behaviour, deterministic security focuses on controlling what is authorised to occur in the first place. The distinction may appear subtle, but its implications are profound:


Detection asks whether something is malicious.
Determinism asks whether it is authorised.


The first question requires continuous analysis, interpretation and threat recognition. The second requires a clear understanding of what is permitted within the environment and the ability to enforce that decision consistently.


This is the principle behind Deterministic eXecution Integrity (DXI).

Visibility helps organisations understand events. Deterministic control governs what is allowed to happen.


DXI does not attempt to determine whether software is good or bad.

It does not rely upon signatures, behavioural analysis, threat intelligence feeds or cloud based reputation services. Instead, it focuses on a simpler and more fundamental question: should this execution path be permitted?


If authorised, execution proceeds normally.
If unauthorised, execution is prevented.


This approach shifts cybersecurity away from a model based primarily on observation and reaction towards one centred on authority and control. The result is not the elimination of detection technologies, nor does it remove the need for governance, risk management or security operations. Organisations will always require visibility into their environments and the ability to investigate security events. Rather, deterministic security complements these capabilities by addressing a different challenge altogether.


Detection seeks to understand compromise.
Determinism seeks to prevent unauthorised execution from becoming operational.

 No signatures


 No heuristics

 

 No behavioural analysis

 

 No threat intelligence

dependency

 

 No cloud reliance

 

 No telemetry requirements

When attacks evolve faster than detection, authority becomes the advantage.


The emergence of Artificial Intelligence may prove to be one of the most significant developments in the history of cybersecurity.

Much of modern security is built upon the ability to recognise patterns. Detection systems identify suspicious behaviour, correlate indicators, compare activity against known attack techniques and attempt to distinguish legitimate activity from malicious intent. The effectiveness of these systems depends upon the assumption that defenders can recognise threats quickly enough to take action.


Artificial Intelligence challenges this assumption.


The significance of AI is not simply that it can generate more malware. Rather, it has the potential to reduce the economic advantage traditionally enjoyed by defenders. Attackers can now generate new variants of malicious code at unprecedented speed, automate reconnaissance, create highly personalised phishing campaigns and continuously modify techniques designed to evade detection.


Historically, the creation of sophisticated attack tooling required specialist expertise and significant investment. Artificial Intelligence lowers these barriers and increases the volume, variation and sophistication of potential threats. The challenge for detection based security models is obvious. As the number of potential attack variants increases, the task of recognising and classifying malicious activity becomes increasingly difficult. The problem shifts from identifying known threats to identifying an effectively limitless number of unknown threats.


Execution, however, remains constant.


Regardless of how an attack is created, whether by a human operator, a criminal organisation or an autonomous AI system, the attack must ultimately execute in order to achieve its objective. Malware must execute. Ransomware must execute. Scripts must execute. Exploits must execute. Without execution, the attack cannot become operational.

The question is no longer "Is it malicious?" but "Is it authorised?"


This is why many organisations are beginning to look beyond visibility alone.

The question is no longer simply how quickly threats can be recognised, but whether organisations can retain authority over what is permitted to execute in the first place.

In this context, Deterministic eXecution Integrity represents more than an alternative security approach. It represents a response to a world in which the volume and speed of attack generation may increasingly outpace the ability of traditional security models to recognise every threat.


As organisations face increasingly complex environments, growing regulatory expectations and a threat landscape accelerated by Artificial Intelligence, many are beginning to recognise that visibility alone is not enough.


For more than two decades, cybersecurity has focused on improving visibility. Organisations have become increasingly capable of seeing what is happening within their environments, understanding compromise and coordinating effective responses. Visibility remains important. However, as Artificial Intelligence accelerates the creation of new threats and reduces the barriers to sophisticated attack development, visibility alone may no longer be sufficient.


The next evolution of cybersecurity is not simply seeing more. It is exercising greater authority over what is permitted to execute. That is the difference between detection and determinism.

See It Working

Schedule a technical demonstration.

Research & Analysis

Explore our collection of technical publications.