- Signature-based detection (i.e., "I know this specific activity is bad")
- Pattern-based detection (i.e., "I know this pattern of activity is bad")
Those are both well and good, but they leave a gaping hole. What is the answer to the question: "Is this previously unknown activity normal and expected, or is it weird and unexpected?"
The way to answer that question is through anomaly-based detection techniques. Unfortunately, at the present time, we as a community do not have so many mature, production-ready approaches to anomaly-based detection, nor do we have many vendor options.
I am cautiously optimistic that in the coming years, we will begin to mature out capabilities in this area. It is sorely needed.