5 styles to combat advanced cyber attacks

by Sohini Bagchi    Sep 26, 2013

lawrence orans gartner

Businesses are constantly facing advanced targeted attacks (ATAs) and advanced malware in recent times. These attacks are so complex and fast-moving that traditional defense tools are not sufficient to protect the enterprise. Lawrence Orans, research director at Gartner, tells CXOtoday, “Detecting ATAs and malware as well as other evolving threats demand new approaches to security which will be more prevalent in the coming months.

In a recent report on ATAs and its impact on businesses, Orans mentions, “The traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware. Today’s threats require an updated layered defense model that uses technologies at three levels: network, payload (executables, files and Web objects) and endpoint.”

He believes combining two or all three layers can offer a highly effective protection against today’s threat environment.

(Read an exclusive interaction with Lawrence Orans on CXOtoday.com)

In the report, Gartner has identified 5 styles of advanced threat defense framework to help security managers select and deploy the most-effective APT defense technologies.

Style 1: Network Traffic Analysis

This style, according to Orans, includes a broad range of techniques for Network Traffic Analysis. For example, anomalous DNS traffic patterns are a strong indication of botnet activity. NetFlow records (and other flow record types) provide the ability to establish baselines of normal traffic patterns and to highlight anomalous patterns that represent a compromised environment. Some tools combine protocol analysis and content analysis.

Style 2: Network Forensics

Network Forensics tools provide full-packet capture and storage of network traffic, and provide analytics and reporting tools for supporting incident response, investigative and advanced threat analysis needs. The ability of these tools to extract and retain metadata differentiates these security-focused solutions from the packet capture tools aimed at the network operations buyer.

Style 3: Payload Analysis

Using a sandbox environment, the Payload Analysis technique is used to detect malware and targeted attacks on a near-real-time basis. Payload Analysis solutions provide detailed reports about malware behavior, but they do not have the ability to track endpoint behavior over a period of days, weeks or months. Enterprises that seek that capability will need to use the incident response features of the solutions in Style 5 (Endpoint Forensics). The sandbox environment can reside on-premises or in the cloud.

Style 4: Endpoint Behavior Analysis

There is more than one approach to Endpoint Behavior Analysis to defend against targeted attacks. Several vendors focus on the concept of application containment to protect endpoints by isolating applications and files in virtual containers. Other innovations in this style include system configuration, memory and process monitoring to block attacks, and techniques to assist with real time incident response. An entirely different strategy for ATA defense is to restrict application execution to only known good applications, also known as “whitelisting”.

Style 5:  Endpoint Forensics

Endpoint Forensics serves as a tool for incident response teams. Endpoint agents collect data from the hosts they monitor. These solutions are helpful for pinpointing which computers have been compromised by malware, and highlighting specific behavior of the malware.

According to Orans, the CSOs role is evolving in the current enterprise security landscape and with the increasing complex nature of security threats, it will continue to be even more important in the coming days as he will assume a greater responsibility. Smart organizations are realizing the importance of innovative approaches and styles to combat ATAs and other evolving threats. “As a result, security is occupying a place on the boardroom agenda today, rather than remaining a sole domain of the IT department,” he concludes.