This is the Trace Id: dfdd8b797dcda18b94f8c76db82d2efd
Skip to main content
Microsoft Security
Two professionals standing together in an office hallway, holding a tablet and discussing work.

What Is Threat Detection and Response (TDR)?

Learn how to protect your organization’s assets by proactively identifying and mitigating cybersecurity risks with threat detection and response.
Discover the Microsoft XDR solution

Threat detection and response (TDR) defined

Threat detection and response is a cybersecurity process for identifying cyberthreats to an organization’s digital assets and taking steps to mitigate them as quickly as possible.

How does threat detection and response work?

To address cyberthreats and other security issues, many organizations set up a security operations center (SOC), which is a centralized function or team responsible for improving an organization’s cybersecurity posture and preventing, detecting, and responding to threats. In addition to monitoring and responding to ongoing cyberattacks, a SOC also does proactive work to identify emerging cyberthreats and organizational vulnerabilities. Most SOC teams, which may be onsite or outsourced, operate around the clock, seven days a week.

The SOC uses threat intelligence, and technology to uncover an attempted, successful, or in-progress breach. Once a cyberthreat is identified, the security team will use threat detection and response tools to eliminate or mitigate the issue.

Threat detection and response typically includes the following stages:
 
  • Detection. Security tools that monitor endpoints, identities, networks, apps, and clouds help surface risks and potential breaches. Security professionals also use cyberthreat hunting techniques to uncover sophisticated cyberthreats that evade detection.
  • Investigation. Once a risk is identified, the SOC uses AI and other tools to confirm the cyberthreat is real, determine how it happened, and assess what company assets are affected.
  • Containment. To stop the spread of a cyberattack, cybersecurity teams and automated tools isolate infected devices, identities, and networks from the rest of the organization’s assets.
  • Eradication. Teams eliminate the root cause of a security incident with the goal of evicting the bad actor completely from the environment. They also mitigate vulnerabilities that may put the organization at risk of a similar cyberattack.
  • Recovery. After teams are reasonably confident that a cyberthreat or vulnerability has been removed, they bring any isolated systems back online.
  • Report. Depending on the severity of the incident, security teams will document and brief leaders, executives, and/or the board on what happened and how it was resolved.
  • Risk mitigation. To prevent a similar breach from happening again and to improve response in the future, teams study the incident and identify changes to make to the environment and processes.

What is threat detection?

Identifying cyberthreats has grown increasingly more difficult as organizations have expanded their cloud footprint, connected more devices to the internet, and transitioned to a hybrid workplace. Bad actors take advantage of this expanded surface area and the fragmentation in security tools with the following types of tactics:
 
  • Phishing campaigns. One of the most common ways that bad actors infiltrate a company is by sending emails that trick employees into downloading malicious code or providing their credentials.
  • Malware. Many cyberattackers deploy software that is designed to damage computers and systems or collect sensitive information.
  • Ransomware. A type of malware, ransomware attackers hold critical systems and data hostage, threatening to release private data or steal cloud resources to mine bitcoin until a ransom is paid. Recently, human-operated ransomware, in which a group of cyberattackers gain access to an organization’s entire network, has become a growing issue for security teams.
  • Distributed denial-of-service (DDoS) attacks. Using a series of bots, bad actors disrupt a website or service by flooding it with traffic.
  • Insider threat. Not all cyberthreats comes from outside an organization. There’s also a risk that trusted people with access to sensitive data may inadvertently or maliciously harm the organization.
  • Identity-based attacks. Most breaches involve compromised identities, which is when cyberattackers steal or guess user credentials and use them to gain access to an organization’s systems and data.
  • Internet of Things (IoT) attacks. IoT devices are also vulnerable to cyberattack, especially legacy devices that don’t have the built-in security controls that modern devices do.
  • Supply chain attacks. Sometimes a bad actor targets an organization by tampering with software or hardware that is supplied by a third-party vendor.
  • Code injection. By exploiting vulnerabilities in how source code handles external data, cybercriminals inject malicious code into an application.
Detecting threats
To get ahead of rising cybersecurity attacks, organizations use threat modeling to define security requirements, identify vulnerabilities and risks, and prioritize remediation. Using hypothetical scenarios, the SOC tries to get inside the mind of cybercriminals so they can improve the organization’s ability to prevent or mitigate security incidents. The MITRE ATT&CK® framework is a useful model for understanding common cyberattack techniques and tactics.

A multilayer defense requires tools that provide continuous real-time monitoring of the environment and surface potential security issues. Solutions also must overlap, so that if one detection method is compromised, a second one will detect the issue and notify the security team. Cyberthreat detection solutions use a variety of methods to identify threats, including:
 
  • Signature-based detection. Many security solutions scan software and traffic to identify unique signatures that are associated with a specific type of malware.
  • Behavior-based detection. To help catch new and emerging cyberthreats, security solutions also look for actions and behaviors that are common in cyberattacks.
  • Anomaly-based detection. AI and analytics help teams understand the typical behaviors of users, devices, and software so that they can identify something unusual that may indicate a cyberthreat.
Although software is critical, people play an equally important role in cyberthreat detection. In addition to triaging and investigating system-generated alerts, analysts use cyberthreat hunting techniques to proactively search for indications of compromise, or they look for tactics, techniques, and procedures that suggest a potential threat. These approaches help the SOC quickly uncover and stop sophisticated, hard-to-detect attacks

What is threat response?

After a credible cyberthreat has been identified, threat response includes any actions that the SOC takes to contain and eliminate it, recover, and reduce the chances that a similar attack will happen again. Many companies develop an incident response plan to help guide them during a potential breach when being organized and moving quickly is critical. A good incidence response plan includes playbooks with step-by-step guidance for specific types of threats, roles and responsibilities, and a communication plan.

Components, benefits, and best practices of TDR

Organizations use a variety of tools and processes to detect and respond to threats. Effective threat detection and response improves resilience, minimizes breaches, and fosters practices that help teams collaborate and reduce the frequency and cost of cyberattacks.

Extended detection and response

Extended detection and response (XDR) products help SOCs simplify the entire prevention, detection, and response cyberthreat lifecycle. These solutions monitor endpoints, cloud apps, email, and identities. If an XDR solution detects a cyberthreat, it alerts security teams and responds automatically to certain incidents based on criteria that the SOC defines.

Identity threat detection and response

Because bad actors often target employees, it’s important to put in place tools and processes for identifying and responding to threats to an organization’s identities. These solutions typically use user and entity behavior analytics (UEBA) to define baseline user behavior and uncover anomalies that represent a potential threat.

Security information and event management

Gaining visibility into the entire digital environment is step one in understanding the threat landscape. Most SOC teams use security information and event management (SIEM) solutions that aggregate and correlate data across endpoints, clouds, emails, apps, and identities. These solutions use detection rules and playbooks to surface potential cyberthreats by correlating logs and alerts. Modern SIEMs also use AI to uncover cyberthreats more effectively, and they incorporate external threat intelligence feeds, so they can identify new and emerging cyberthreats.

Threat intelligence

To get a comprehensive view of the cyberthreat landscape, SOCs use tools that synthesize and analyze data from a variety of sources, including endpoints, email, cloud apps, and external threat intelligence sources. Insights from this data help security teams prepare for a cyberattack, detect active cyberthreats, investigate ongoing security incidents, and respond effectively.

Endpoint detection and response

Endpoint detection and response (EDR) solutions are an earlier version of XDR solutions, focused just on endpoints, such as computers, servers, mobile devices, IoT. Like XDR solutions, when a potential attack is discovered, these solutions generate an alert and, for certain well-understood attacks, respond automatically. Because EDR solutions are only focused on endpoints, most organizations are migrating to XDR solutions.

Vulnerability management

Vulnerability management is a continuous, proactive, and often automated process that monitors computer systems, networks, and enterprise applications for security weaknesses. Vulnerability management solutions assess vulnerabilities for severity and level of risk and provide reporting that the SOC uses to remediate issues.

Security orchestration, automation, and response

Security orchestration, automation, and response (SOAR) solutions help simplify cyberthreat detection and response by bringing together internal and external data and tools into one centralized place. They also automate cyberthreat responses based on a set of predefined rules.

Managed detection and response

Not all organizations have the resources to effectively detect and respond to cyberthreats. Managed detection and response services help these organizations augment their security teams with the tools and people necessary to hunt for threats and respond appropriately.
Back to tabs

Threat detection and response solutions

Threat detection and response is a critical function that all organizations can use to help them find and address cyberthreats before they cause harm. Microsoft Security offers several threat protection solutions to help security teams monitor, detect, and respond to cyberthreats. For organizations with limited resources, Microsoft Defender Experts provides managed services to augment existing staff and tools.
Resources

Learn more about Microsoft Security

  1.
team collaborating around data dashboards in office.

Unified security operations solution

Protect your entire digital estate with a unified detection, investigation, and response experience.
Learn more
coworkers collaborating at office desks

Microsoft Defender XDR

Accelerate your response with incident-level visibility and automatic attack disruption.
Learn more
person using tablet in living room.

Microsoft Sentinel

See and stop cyberthreats across your entire enterprise with intelligent security analytics.
Learn more
person working on laptop by window.

Microsoft Defender Experts for XDR

Get help stopping attackers and preventing future compromise with a managed XDR service.
Learn more
team discussing presentation in meeting room.

Microsoft Defender Vulnerability Management

Reduce cyberthreats with continuous vulnerability assessments, risk-based prioritization, and remediation.
Learn more
two professionals having a discussion in modern office lounge.

Microsoft Defender for Business

Safeguard your small or medium-sized business from cyberattacks, like malware and ransomware.
Learn more
Back to Related products section
FAQ

Frequently asked questions

  • Advanced threat detection includes the techniques and tools that security professionals use to uncover advanced persistent threats, which are sophisticated threats that are designed to remain undetected for an extended period of time. These threats are often more serious and may include espionage or data theft.
  • The primary methods of threat detection are security solutions, such as SIEM or XDR, that analyze activity across the environment to discover indications of compromise or behavior that deviates from what’s expected. People work with these tools to triage and respond to potential threats. They also use XDR and SIEM to hunt for sophisticated attackers that may evade detection.
  • Threat detection is the process of uncovering potential security risks, including activity that may indicate a device, software, network, or identity has been compromised. Incident response includes the steps that the security team and automated tools take to contain and eliminate a cyberthreat.
  • The threat detection and response process includes:
     
    • Detection. Security tools that monitor endpoints, identities, networks, apps, and clouds help surface risks and potential breaches. Security professionals also use cyberthreat hunting techniques to try to uncover emerging cyberthreats.
    • Investigation. Once a risk is identified, people use AI and other tools to confirm the cyberthreat is real, determine how it happened, and assess what company assets are affected.
    • Containment. To stop the spread of a cyberattack, cybersecurity teams isolate infected devices, identities, and networks from the rest of the organization’s assets.
    • Eradication. Teams eliminate the root cause of a security incident with the goal of evicting the adversary completely from the environment and mitigating vulnerabilities that might put the organization at risk of a similar cyberattack.
    • Recovery. After teams are reasonably confident that a cyberthreat or vulnerability has been removed, they bring any isolated systems back online.
    • Report. Depending on the severity of the incident, security teams will document and brief leaders, executives, and/or the board on what happened and how it was resolved.
    • Risk mitigation. To prevent a similar breach from happening again and to improve response in the future, teams study the incident and identify changes to make to the environment and processes.
  • TDR stands for threat detection and response, which is a process of identifying cybersecurity threats to an organization and taking steps to mitigate those threats before they do real damage. EDR stands for endpoint detection and response, which is a category of software products that monitor an organization’s endpoints for potential cyberattacks, surface those cyberthreats to the security team, and automatically respond to certain types of cyberattacks.

Follow Microsoft Security