Traditional defense tools are failing to protect enterprises from advanced targeted attacks and the broader problem of advanced malware, says Gartner. In 2013, enterprises will spend more than $13 billion on firewalls, intrusion prevention systems (IPSs), endpoint protection platforms and secure web gateways. Yet, advanced targeted attacks (ATAs) and advanced malware continue to plague enterprises.
Lawrence Orans, research director at Gartner, provides additional advice on how to analyze and compare different approaches and select complementary (as opposed to overlapping) solutions for detecting ATAs and malware:
The traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware. Today's threats require an updated layered defense model that uses "lean forward" technologies at three levels: network, payload (executables, files and web objects), and endpoint. Combining two or all three layers offers highly effective protection against today's threat environment.
To help security managers select and deploy the most-effective APT defense technologies, Gartner has developed the “Five Styles of Advanced Threat Defense Framework.” (See Figure 1). This framework is based on two dimensions: where to look for ATAs and malware (the rows), and a time frame for when the solution is most effective (the columns). The dashed lines between styles represent "bleed-through," since many vendor solutions possess characteristics of adjacent styles.
Figure 1: Five Styles of Advanced Threat Defense
Style 1—Network Traffic Analysis
This style includes a broad range of techniques for network traffic analysis. For example, anomalous DNS traffic patterns are a strong indication of botnet activity. NetFlow records (and other flow record types) provide the ability to establish baselines of normal traffic patterns and to highlight anomalous patterns that represent a compromised environment. Some tools combine protocol analysis and content analysis.
Style 2—Network Forensics
Network forensics tools provide full-packet capture and storage of network traffic, and provide analytics and reporting tools for supporting incident response, investigative and advanced threat analysis needs. The ability of these tools to extract and retain metadata differentiates these security-focused solutions from the packet capture tools aimed at the network operations buyer.
Style 3—Payload Analysis
Using a sandbox environment, the payload analysis technique is used to detect malware and targeted attacks on a near-real-time basis. Payload analysis solutions provide detailed reports about malware behavior, but they do not enable a postcompromise ability to track endpoint behavior over a period of days, weeks or months. Enterprises that seek that capability will need to use the incident response features of the solutions in Style 5 (Endpoint Forensics). The sandbox environment can reside on-premises or in the cloud.
Style 4—Endpoint Behavior Analysis
There is more than one approach to endpoint behavior analysis to defend against targeted attacks. Several vendors focus on the concept of application containment to protect endpoints by isolating applications and files in virtual containers. Other innovations in this style include system configuration, memory and process monitoring to block attacks, and techniques to assist with real time incident response. An entirely different strategy for ATA defense is to restrict application execution to only known good applications, also known as "whitelisting".
Style 5—Endpoint Forensics
Endpoint forensics serves as a tool for incident response teams. Endpoint agents collect data from the hosts they monitor. These solutions are helpful for pinpointing which computers have been compromised by malware, and highlighting specific behavior of the malware.
Because of the challenges in combating targeted attacks and malware, security-conscious organizations should plan on implementing at least two styles from this framework. The framework is useful for highlighting which combinations of styles are the most complementary.
Effective protection comes from combining technologies from different rows (for example: network/payload, payload/endpoint or network/endpoint). The same logic applies to mixing styles from different columns (different time horizons). The most effective approach is to combine styles diagonally through the framework.