The Best Network Protection Go Deep or Go Broad

The Best Network Protection: Go Deep or Go Broad?

By Albert Zhichun Li, Chief Scientist, Stellar Cyber

Almost since the beginning of network security, vendors and practitioners have wrestled with choices between going deep and going broad for their security solutions. Mostly, the choice varies between predominantly one or the other. Going deep typically means careful monitoring and analysis of certain types of threats or behaviors at the cost of not examining a much broader range of activity. Solutions that are broader may lack the clarity and fidelity to make fast, accurate alerting. They also may miss important indicators.

The battle to protect data, systems, users and networks has been far from easy. Today, a more interesting headline might announce when  a data breach has not occurred. The odds are heavily in favor of attackers to penetrate a network and have free rein to engage in theft or damage. These high-value attacks are human-run and employ multiple approaches over a period of time. The now commonly acknowledged north, south, east and west type of activities work for an attacker to systematically, and sometimes serendipitously, accomplish their mission. One step, such as reconnaissance through some kind of scanning, will lead to a next and a next. This reality means that both depth and breadth are important if an organization has any hope of curtailing an attack.

As solutions for eXtended Detection and Response (XDR)—and perhaps other categories of solutions—emerge, one of the more important questions they will have to face is this ongoing one between depth and breadth.  Depth and breadth can work together to ensure higher fidelity alerts with a low number of false positives. The ability to understand potential attacker activity with detail as well as context can make all the difference in flagging something that is truly important. To be productive, activities must be identified that are both abnormal and malicious.

Breadth is important since attackers use multiple tactics, largely sequentially. The ability to see the connectedness between events gives security groups a substantial advantage. This “seeing the forest for the trees” can identify something that might otherwise be missed or provide the fidelity to prevent “crying wolf” too many times. Breadth can also unify the strength of individual security solutions, each with its own area of expertise and specialization.

Depth brings important details and may answer a number of the “who, what, where, when, how” questions. EDR systems, for instance, are best at understanding endpoint activity, CASB solutions are primed to make sense of certain cloud activities. UEBA tools help examine who did what on the network.

Of course, it is simply not possible that one tool or system can do everything with full expertise and precision. This is why the idea of not only integrating but also aggregating key findings from a myriad of tools is so powerful. Sharing “the best of” from each system ensures that the whole is more valuable than sum of the parts. In this way, breadth and depth can combine and work together to minimize any tradeoffs of design to produce better results.

Breadth should also work to fill any gaps between detections provided by various systems that might exist. Usually this means gaps in scope, but sometimes it might mean limitations or delays in what data is provided by a security system and when. Sensors can help fill this gap that inevitably exists. Logs may also provide supplemental information, but they generally cannot be depended on for timely insights and may be limited in what is captured. They can also be manipulated.

Depth and breadth are good things, and vendors and practitioners should continue to build expertise in both areas. Still, to gain an upper hand against attackers, organizations cannot afford to choose between the two. Uniting these two dimensions will help even the odds.

About the Author

Dr. Albert Li AuthorDr. Albert Li is a world-renowned expert in cyber security, machine learning (ML), systems, networking and IoT. He is one of the few scientists known to heavily apply ML to security detection/investigation. Albert has 20 years of experience in security, and has been applying machine learning to security for 15 years. Previously, he was the head of NEC Labs’ computer security department, where he initiated, architected and commercialized NEC’s own AI-driven security platform. He has filed 48 US patents and has published nearly 50 seminal research papers. Dr. Li has a Ph.D. in system and network security from Northwestern University and a B.Sc. from Tsinghua University. Albert can be reached online at and at our company website

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase