How To Deploy the Most Effective Advanced Persistent Threat Solutions
Traditional defense tools are failing to protect enterprises from advanced targeted attacks and the broader problem of advanced malware. In 2013, enterprises will spend more than $13 billion on firewalls, intrusion prevention systems (IPSs), endpoint protection platforms and secure Web gateways. Yet, advanced targeted attacks (ATAs) and advanced malware continue to plague enterprises.
Lawrence Orans, research director at Gartner, provided additional commentary on how to analyze and compare different approaches and select complementary (as opposed to overlapping) solutions for detecting ATAs and malware.
Mr. Orans said:
The traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware. Today's threats require an updated layered defense model that utilizes "lean forward" technologies at three levels: network, payload (executables, files and Web objects) and endpoint. Combining two or all three layers offers highly effective protection against today's threat environment.
To help security managers select and deploy the most-effective APT defense technologies, Gartner has developed the Five Styles of Advanced Threat Defense Framework. This framework is based on two dimensions: where to look for ATAs and malware (the rows), and a time frame for when the solution is most effective (the columns). The dashed lines between styles represent "bleed-through," since many vendor solutions possess characteristics of adjacent styles.
Figure 1: Five Styles of Advanced Threat Defense
Style 1 — Network Traffic Analysis
This style includes a broad range of techniques for Network Traffic Analysis. For example, anomalous DNS traffic patterns are a strong indication of botnet activity. NetFlow records (and other flow record types) provide the ability to establish baselines of normal traffic patterns and to highlight anomalous patterns that represent a compromised environment. Some tools combine protocol analysis and content analysis.
Style 2 — Network Forensics
Network Forensics tools provide full-packet capture and storage of network traffic, and provide analytics and reporting tools for supporting incident response, investigative and advanced threat analysis needs. The ability of these tools to extract and retain metadata differentiates these security-focused solutions from the packet capture tools aimed at the network operations buyer.
Style 3 — Payload Analysis
Using a sandbox environment, the Payload Analysis technique is used to detect malware and targeted attacks on a near-real-time basis. Payload Analysis solutions provide detailed reports about malware behavior, but they do not enable a postcompromise ability to track endpoint behavior over a period of days, weeks or months. Enterprises that seek that capability will need to use the incident response features of the solutions in Style 5 (Endpoint Forensics). The sandbox environment can reside on-premises or in the cloud.
Style 4 — Endpoint Behavior Analysis
There is more than one approach to Endpoint Behavior Analysis to defend against targeted attacks. Several vendors focus on the concept of application containment to protect endpoints by isolating applications and files in virtual containers. Other innovations in this style include system configuration, memory and process monitoring to block attacks, and techniques to assist with real time incident response. An entirely different strategy for ATA defense is to restrict application execution to only known good applications, also known as "whitelisting".
Style 5 — Endpoint Forensics
Endpoint Forensics serves as a tool for incident response teams. Endpoint agents collect data from the hosts they monitor. These solutions are helpful for pinpointing which computers have been compromised by malware, and highlighting specific behavior of the malware.
Because of the challenges in combating targeted attacks and malware, security-conscious organizations should plan on implementing at least two styles from this framework. The framework is useful for highlighting which combinations of styles are the most complementary. Effective protection comes from combining technologies from different rows (for example: network/payload, payload/endpoint or network/endpoint). The same logic applies to mixing styles from different columns (different time horizons). The most effective approach is to combine styles diagonally through the framework.
More detailed information on the framework and how security managers can select and deploy the most effective APT defense technologies can be found in the report “Five Styles of Advanced Threat Defense”. The report can be found on Gartner’s website at http://www.gartner.com/resId=2576720.
Mr. Orans will provide additional insight into cybersecurity at Gartner Symposium/ITxpo 2013 taking place October 6-10 in Orlando, Florida.