How is drift different from an anomaly?

Drift typically refers to persistent, ongoing changes from baseline — a device that has been behaving differently for days or weeks. An anomaly is often a transient or event-based deviation — a device that made one unusual connection last night. Both are important detection signals, but drift suggests a sustained change to device state (potentially a persistent compromise) while anomalies may be one-time events.

Definition

Drift

Deviation from an asset's known-good configuration or behavioral baseline. Drift can indicate a compromise, unauthorized change, misconfiguration, or firmware update that alters device behavior.

What is Drift?

Deviation from an asset's known-good configuration or behavioral baseline. Drift can indicate a compromise, unauthorized change, misconfiguration, or firmware update that alters device behavior.

Drift refers to a deviation from an asset's known-good state — a change from the configuration, software, or behavioral baseline that was established when the device was correctly configured and operating normally. Configuration drift occurs when settings change from the approved baseline. Behavioral drift occurs when a device starts communicating differently than it has historically. Software drift occurs when installed applications or running processes change unexpectedly.

Drift is significant because it can indicate several distinct security events: a compromise that altered device configuration or installed malware, an unauthorized change by an insider, a firmware or software update that changed behavior, or a misconfiguration introduced during maintenance. Distinguishing between benign drift (a legitimate firmware update) and malicious drift (a compromised device) requires correlating behavioral changes with change management records.

In IoT and OT environments, drift detection is particularly valuable because legitimate configuration changes are relatively infrequent and should be well-documented. A PLC whose communication behavior changes without a corresponding maintenance window or change ticket is much more suspicious than a Windows workstation whose behavior changes after a software update. The high predictability of OT device behavior makes drift detection a sensitive and specific indicator of potential compromise.

Key Facts

Configuration drift affects an estimated 30–40% of enterprise devices within 90 days of baseline establishment
Unauthorized configuration changes are among the top indicators of insider threat activity
In OT environments, legitimate configuration changes are infrequent enough that any drift warrants investigation
Drift detection combined with change management integration reduces false positive alert rates by over 50%

How ORDR Addresses Drift

ORDR continuously compares each device's current behavior against its established baseline, alerting when drift is detected. Alerts are correlated against device criticality and the nature of the drift — a single new outbound connection is treated differently than a pattern of scanning behavior. ORDR integrates with ITSM platforms to correlate behavioral changes with change management records for automated triage.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview