'Five Styles of Advanced Threat Defense' Can Protect Enterprise From Targeted Attacks
Attackers want to compromise networks and computers to steal sensitive information from the enterprise by using sophisticated malware. Research firm Gartner says IT can protect the enterprise against targeted attacks in five basic ways, and recommends combining at least two of them together for best effect.
Wed, October 30, 2013
Network World — Attackers want to compromise networks and computers to steal sensitive information from the enterprise by using sophisticated malware. Research firm Gartner says IT can protect the enterprise against targeted attacks in five basic ways, and recommends combining at least two of them together for best effect.
Gartner's report, "Five Styles of Advanced Threat Defense" defines technical "styles" that are ways to tackle the threat of stealthy attacks, sometimes called advanced persistent threats, beyond simply using traditional security, such as anti-virus or firewalls.
The report is based on an analysis of the security products in the market designed to help identify stealthy attacks or collect forensics on compromised systems. Gartner categorizes these into five technical approaches it refers to as specific "styles" in a framework of security.
According to Gartner, it's central to first think about the timeframe of an attack aimed at stealing critical data. There are real-time (or near-time defenses) that can be put in place. But other tools should be considered "postcompromise" when an attack has unfortunately been successful and there's a need for forensics. In its report, Gartner notes some security vendors will have products that do some of both.
[MORE GARTNER: Gartner: The Top 10 IT altering predictions for 2014
In general there's a need to analyze inbound and outbound network traffic to detect compromised endpoints, and to do this, agent software is not required on the endpoint. There's also a need to look at the payload of the attacker. A sandbox approach, by using a safely isolated simulation environment, can observe how payloads behave, with the goal of flagging them as dangerous. Gartner notes that there's a need to determine how endpoints have been impacted by malware -- but that typically carries significant operational costs to manage and deploy on the endpoint, Gartner says.
In short, Gartner's "Five Styles" of defense are:
Style 1 Use Network Traffic Analysis techniques to establish baselines of normal traffic patterns, (for example anomalous DNS traffic could indicate botnet traffic) and highlight anomalous patterns that represent a compromised environment. This approach offers real-time detection and can include both non-signature and signature-based techniques, and endpoint agents aren't required. But the challenge is it might require "careful tuning and knowledgeable staff to avoid false positives," Gartner points out. If the product is an out-of-band tool, it will have a limited ability to block attacks and may not monitor traffic from off-network mobile endpoints. A sampling of vendors with products in this category would be Arbor Networks, Damballa, Fidelis, Lancope and Sourcefire's AMP, according to Gartner.(Sourcefire was recently acquired by Cisco).