Attackers want to compromise networks and computers to steal sensitive information from the enterprise by using sophisticated malware. Research firm Gartner says IT can protect the enterprise against targeted attacks in five basic ways, and recommends combining at least two of them together for best effect.
Gartner's report, "Five Styles of Advanced Threat Defense" defines technical "styles" that are ways to tackle the threat of stealthy attacks, sometimes called advanced persistent threats, beyond simply using traditional security, such as anti-virus or firewalls.
The report is based on an analysis of the security products in the market designed to help identify stealthy attacks or collect forensics on compromised systems. Gartner categorizes these into five technical approaches it refers to as specific "styles" in a framework of security.
According to Gartner, it's central to first think about the timeframe of an attack aimed at stealing critical data. There are real-time (or near-time defenses) that can be put in place. But other tools should be considered "postcompromise" when an attack has unfortunately been successful and there's a need for forensics. In its report, Gartner notes some security vendors will have products that do some of both.
In general there's a need to analyze inbound and outbound network traffic to detect compromised endpoints, and to do this, agent software is not required on the endpoint. There's also a need to look at the payload of the attacker. A sandbox approach, by using a safely isolated simulation environment, can observe how payloads behave, with the goal of flagging them as dangerous. Gartner notes that there's a need to determine how endpoints have been impacted by malware -- but that typically carries significant operational costs to manage and deploy on the endpoint, Gartner says.
In short, Gartner's "Five Styles" of defense are:
Style 1 Use Network Traffic Analysis techniques to establish baselines of normal traffic patterns, (for example anomalous DNS traffic could indicate botnet traffic) and highlight anomalous patterns that represent a compromised environment. This approach offers real-time detection and can include both non-signature and signature-based techniques, and endpoint agents aren't required. But the challenge is it might require "careful tuning and knowledgeable staff to avoid false positives," Gartner points out. If the product is an out-of-band tool, it will have a limited ability to block attacks and may not monitor traffic from off-network mobile endpoints. A sampling of vendors with products in this category would be Arbor Networks, Damballa, Fidelis, Lancope and Sourcefire's AMP, according to Gartner.(Sourcefire was recently acquired by Cisco).
Style 2 Network Forensics typically provide "full-packet capture and storage of network traffic" as well as analytics and reporting tools for incident response of advanced threats. The advantages they bring include reducing incident response time and they can reconstruct and replay flows and events over days or weeks, along with sometimes offering detailed reports to meet regulatory requirements. The downside? These tools can be complex and costs "rise with the amount of data and the retention time." Sometimes generating reports needs to be done off-hours due to how they analyze large amounts of data. Among the vendors in Style 2 are said to be Blue Coat (Solera Networks) and RSA (NetWitness).
Sign up for CIO Asia eNewsletters.