Threats change daily as attackers continuously work to improve their TTPs, and so, too, must the signatures and models that are used to detect the presence of threats in a network. The EDP platform must get frequent updates, preferably including well-sourced, high quality Indicators of Compromise (IoCs) and Indicators of Attack (IoAs). Some products allow the enterprise to also incorporate its own IoCs/IoAs, which may be developed in-house or obtained from cyber threat intelligence subscription services.
Most tools today use machine learning (ML) to scrutinize endpoint and network activities to look for anomalies that could be indicative of risks and threats. ML uses algorithms, or models, to analyze the data, and these models need frequent tuning to continue to produce the most accurate possible results in detecting anomalies.