This blog was originally published on LinkedIn.
The security industry is rampant with vendors peddling anomaly detection as the cure all for cyber attacks. This is grossly misleading.
The problem is that anomaly detection over-generalizes: All normal behavior is good; all anomalous behavior is bad – without considering gradations and context. With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.