01/10/13 Five Styles of Advanced Threat Defense

www.gartner.com/technology/reprints.do?id=1-1IS72Q5&ct=130823&st=sb 1/5
FiveStylesofAdvancedThreatDefense
20August2013ID:G00253559
Analyst(s):LawrenceOrans,JeremyD'Hoinne
VIEWSUMMARY
Thethreatofadvancedtargetedattacks,alsoknownasadvancedpersistentthreats,hasspawneda
waveofinnovationinthesecuritymarket.Weprovidesecuritymanagerswithaframeworktoselect
anddeploythemosteffectiveAPTdefensetechnologies.
Overview
KeyFindings
Thetraditionaldefenseindepthcomponentsarestillnecessary,butarenolongersufficientin
protectingagainstadvancedtargetedattacksandadvancedmalware.
Today'sthreatsrequireanupdatedlayereddefensemodelthatutilizes"leanforward"technologies
atthreelevels:network,payload(executables,filesandWebobjects)andendpoint.
Combiningtwoorallthreelayersoffershighlyeffectiveprotectionagainsttoday'sthreat
environment.
Manyvendorsfitsquarelyinonestyle,butalsohavesomecharacteristicsofadjacentstyles.The
trendwillbeforvendorsto"bleedthrough"multiplestylesassolutionsmature.
Recommendations
UseGartner'sFiveStylesofAdvancedThreatDefenseFrameworktoidentifycomplementary
solutionsandavoidoverlappingsolutions.
Implement"leanforward"technologyfromatleasttwoofthethreeframeworklayers(network,
payload,endpoint).
Combinesolutionsthatofferarealtimeornearrealtimemonitoring/detectionapproachwith
thosethatprovideincidentresponseandforensicanalysiscapabilities.
Analysis
Traditionaldefensetoolsarefailingtoprotectenterprisesfromadvancedtargetedattacksandthe
broaderproblemofadvancedmalware.In2013,enterpriseswillspendmorethan$13billionon
firewalls,intrusionpreventionsystems(IPSs),endpointprotectionplatformsandsecureWebgateways
(seeNote1).Yet,advancedtargetedattacks(ATAs)andadvancedmalwarecontinuetoplague
enterprises.ATAsareconsideredadvancedbecauseoftheirabilitytobypasstraditionalsecurity
mechanisms.In"NetworkSecurityMonitoringToolsfor'LeanForward'SecurityPrograms,"we
highlightseveralcategoriesofsolutionsfordetectingATAsandmalware.Here,weprovideaframework
forcomparingvendors'offeringstohelpsecuritymanagersanalyzeandcomparetheapproaches,and
tohelpthemselectcomplementary(asopposedtooverlapping)solutions.
Figure1presentsGartner'sFiveStylesofAdvancedThreatDefenseFramework.Thisframeworkis
basedontwodimensions:wheretolookforATAsandmalware(therows),andatimeframeforwhen
thesolutionismosteffective(thecolumns).Thedashedlinesbetweenstylesrepresent"bleed
through,"sincemanyvendorsolutionspossesscharacteristicsofadjacentstyles.
Figure1.FiveStylesofAdvancedThreatDefense
Source:Gartner(August2013)
ReturntoTop
NOTE1
ENTERPRISESECURITYEXPENDITURES
(PREDICTED)IN2013
BasedonmarketsizeestimatesfromGartnerMagic
Quadrants,enterpriseswillspendmorethan$13billion
onfourproductcategories:
Firewalls:$7.7billion(see"MagicQuadrantfor
EnterpriseNetworkFirewalls")
IntrusionPreventionSystems:$1.19billion(see
"MagicQuadrantforIntrusionPrevention
Systems")
EndpointProtection:$3.2billion(see"Magic
QuadrantforEndpointProtectionPlatforms")
SecureWebGateways:$1.35billion(see"Magic
QuadrantforSecureWebGateways")
NOTE2
HOWNETWORKFORENSICSTOOLSDIFFER
FROMPACKETCAPTURETOOLS
Anetworkforensicstool(NFT)"thinks"insessions,
notpackets,whichisdifferentfromtraditionalnetwork
captureandanalysistools.Thetoolseparates
metadatafromrawpacketsandseekstorunmostof
theanalysisonthemetadata,ratherthanpackets.
ExamplesofmetadataareWebbrowserHTTPuser
agentorHTTPreferrerfields.
01/10/13 Five Styles of Advanced Threat Defense
www.gartner.com/technology/reprints.do?id=1-1IS72Q5&ct=130823&st=sb 2/5
WheretoLook
NetworkByanalyzinginboundandoutboundnetworktraffic,thesesolutionscanhighlight
compromisedendpoints.Anadvantageofthistechniqueisthatitdoesnotrequireanendpoint
agent.Thenetworktrafficapproachallowsfordetectionacrossallendpointsandoperating
systems.
PayloadThisapproachusesasandbox(anisolated,simulatedenvironment)toobservethe
behaviorofpayloadsinmotion(astheycrossthenetworkperimeter)andtoflagthosethatare
suspicious.Examplesofpayloadsare:PDF,EXE,DLL,Office,ZIP,Flash,JavaScript,andHTML
objects,althoughnotallvendorsarecapableofanalyzingeachpayloadtype.Withsomesolutions,
endpointagentscanalsosendfilesandexecutablestothesandbox.
EndpointThisapproachprovidesthemostdetailedinformationabouthowendpointshavebeen
impactedbymalwareandATAs,butitcomeswiththeoperationalcostofimplementingand
managingagentsoftwareoneveryendpoint.
ReturntoTop
TimeHorizon
RealTime/NearRealTimeToolsinthiscategorymonitor,detectand,insomecases,block
malwareandattacksonarealtimeornearrealtimebasis.
Postcompromise(Days/Weeks)Thiscategoryprovidesrichdatatoaidinincidentresponse
exercisesandforensicanalysisofsecuritybreachesoveraperiodofdaysorweeks.
ReturntoTop
Style1NetworkTrafficAnalysis
ThisstyleincludesabroadrangeoftechniquesforNetworkTrafficAnalysis.Forexample,anomalous
DNStrafficpatternsareastrongindicationofbotnetactivity.NetFlowrecords(andotherflowrecord
types)providetheabilitytoestablishbaselinesofnormaltrafficpatternsandtohighlightanomalous
patternsthatrepresentacompromisedenvironment.Sometoolscombineprotocolanalysisand
contentanalysis.Thesamplevendorswelistalluseinternallydevelopedsignaturelesstechniquesthat
havebeeneffectiveindetectingadvancedthreats.
ReturntoTop
Strengths
Realtimedetection.
Includessignaturelessandsignaturebasedtechniques.
Endpointagentsarenotrequired.
ReturntoTop
Challenges
Requirescarefultuningandknowledgeablestafftoavoidfalsepositives.
Limitedabilitytoblockattacks(appliestooutofbandtools).
Doesnotmonitortrafficfromoffnetworkmobileendpoints.
SampleVendors
ArborNetworks,Damballa,Fidelis,Lancope,andSourcefire(AMP)
(Note:Mostfirewall,IPSandsecureWebgatewaysprovidesupportfortrafficanalysis,butwithawide
rangeoffeaturesandeffectiveness.Manyrelyonthirdpartyblacklists[forexample,knownbadIP
addresses]andsignatures.)
ReturntoTop
Style2NetworkForensics
NetworkForensicstoolsprovidefullpacketcaptureandstorageofnetworktraffic,andprovideanalytics
andreportingtoolsforsupportingincidentresponse,investigativeandadvancedthreatanalysisneeds.
Theabilityofthesetoolstoextractandretainmetadatadifferentiatesthesesecurityfocusedsolutions
fromthepacketcapturetoolsaimedatthenetworkoperationsbuyer(seeNote2).
ReturntoTop
Strengths
CandeliverahighROI(duetoreducingincidentresponsetimeandpersonnel).
Canreconstructandreplayflowsandeventsoverdaysorweeks,duetohighcapacitystorage
options(forexample,200TB).
Detailedreportscanbeusedtohelpmeetregulatoryrequirements,suchasediscoveryor
PaymentCardIndustry,forindepthanalysisandcontinuousmonitoringofnetworktraffic.
ReturntoTop
Challenges
Thetoolsarecomplex,andskilledpersonnelarerequiredtooperatethem.
Costsrisewiththeamountofdataandtheretentiontime.
Reportsthatanalyzelargeamountsofdataaretimeintensiveandmayneedtoberunoffhours.
01/10/13 Five Styles of Advanced Threat Defense
www.gartner.com/technology/reprints.do?id=1-1IS72Q5&ct=130823&st=sb 3/5
Doesnotcapturetrafficfromoffnetworkmobileendpoints.
SampleVendors
BlueCoat(SoleraNetworks)andRSA(NetWitness)
ReturntoTop
Style3PayloadAnalysis
Usingasandboxenvironment,thePayloadAnalysistechniqueisusedtodetectmalwareandtargeted
attacksonanearrealtimebasis.PayloadAnalysissolutionsprovidedetailedreportsaboutmalware
behavior,buttheydonotenableapostcompromiseabilitytotrackendpointbehavioroveraperiodof
days,weeksormonths.Enterprisesthatseekthatcapabilitywillneedtousetheincidentresponse
featuresofthesolutionsinStyle5(EndpointForensics).Thesandboxenvironmentcanresideon
premisesorinthecloud.
CloudbasedPayloadAnalysisisavalidapproach,butitisalsoalowbarriertoentryforvendors.Using
offtheshelfhypervisorsandvirtualizationtechnology,vendorscaneasilycreatesandboxenvironments
andlabelthemasPayloadAnalysissolutions.FeedbackfromGartnerclientsindicatesthatthereisa
widerangeintheabilityofthesecloudbasedPayloadAnalysissolutionstoaccuratelydetectmalware.
ReturntoTop
Strengths
Veryeffectiveindetectingmalwarethatsuccessfullybypassessignaturebasedsolutions.
Detailedreportshighlightregistrychanges,APIcalls,processbehaviorandotherinformation
aboutthebehaviorofthemalware(thesereportsarehelpfulforpostcompromiseanalysis,butare
notasubstitutefortheindepthtoolsoutlinedinStyle2andStyle5).
Optionalblockingcapabilityforoutboundcallbacktocommandandcontrolcentersforthoseon
premisesbased(noncloud)solutionsthatcanbeplacedinthelineoftraffic.
ReturntoTop
Challenges
Becausebehavioralanalysiscantakeseveralsecondsorminutestocomplete,previously
undetectedmalwareisallowedtopassthrough,potentiallycompromisingoneormoreendpoints.
Someevasiontechniquescandefeatthebehavioralanalysistechnique.Forexample,sleeptimers,
inwhichthemalwarecodeexecutesonadelayedbasis(hoursordays),mayresultinthe
malwaregoingundetectedduringthetimeitisresidentinthesandbox.Somevendorshave
techniquesfordetectingandthwartingsleeptimerevasions.
Doesnotprovidevalidationthatthemalwareexecutedonendpoints.Justbecausethemalware
behavedacertainwayinasimulatedenvironmentdoesnotguaranteethatitwillbehavethat
wayonrealendpoints.Somemalwaredoesnotinstallandexecuteasexpectedonevery
endpoint.
Manysolutionsonlysupportalimitedrangeofpayloads.Somesupportexecutables(.exefiles)
only.
MostsolutionsonlysupportMicrosoftWindows,althoughsomecloudbasedapproachessupport
Android.Atthetimeofthiswriting,nonesupportAppleMacOSX.
Privacyanddataprotectionconcernsmaypreventsomeenterprisesfromimplementingcloud
basedsandboxes.
SampleVendors
AhnLab,CheckPoint(ThreatEmulationSoftwareBlade),FireEye,Lastline,McAfee(ValidEdge),PaloAlto
Networks(WildFire),ThreatGridandTrendMicro(DeepDiscovery)
(Note:Thesevendorsallofferappliances,andsomealsooffercloudbasedoptions.Firewall,IPSand
SWGvendorsthatoffercloudonlyPayloadAnalysisasasecondaryfeaturewerenotincluded.Vendors
thatofferPayloadAnalysisfromanOEMprovideralsowerenotincluded.)
ReturntoTop
Style4EndpointBehaviorAnalysis
ThereismorethanoneapproachtoEndpointBehaviorAnalysistodefendagainsttargetedattacks.
Severalvendorsfocusontheconceptofapplicationcontainmenttoprotectendpointsbyisolating
applicationsandfilesinvirtualcontainers.Otherinnovationsinthisstyleincludesystemconfiguration,
memoryandprocessmonitoringtoblockattacks,andtechniquestoassistwithrealtimeincident
response.AnentirelydifferentstrategyforATAdefenseistorestrictapplicationexecutiontoonly
knowngoodapplications,alsoknownas"whitelisting"(see"HowtoSuccessfullyDeployApplication
Control").
Theapplicationcontainmentapproachallowsmalwaretoexecute,butitdoessoinacontained
environmentwhereitcannotaccesscontentandinformationoutsideofitscontainer.Forexample,the
containersinterceptkernelsystemcallsandblockmaliciousactivitysuchasthreadinjectionattacks.By
isolatingWebbrowsingsessions,thisapproachprotectsusersfrommaliciouswebsites,includingdrive
bydownloadsitesand"wateringholes."Thesesolutionsrequireanagentoneveryendpoint.(Formore
information,see"TechnologyOverviewforVirtualizationandContainmentSolutionsforAdvanced
TargetedAttacks.")
ReturntoTop
Strengths
Blockszerodayattacksandpreviouslyunseenmalware(appliestoapplicationcontainment
solutions).
01/10/13 Five Styles of Advanced Threat Defense
www.gartner.com/technology/reprints.do?id=1-1IS72Q5&ct=130823&st=sb 4/5
Protectssystemswhethertheyareonoroffthecorporatenetwork.
Providesbasicforensiccapabilitiesthroughanalysisofblockedmalware.
ReturntoTop
Challenges
Deployingandmanagingendpointagentscanbeoperationallyintensiveandcreateschallengesin
bringyourowndevice(BYOD)environments.
Endpointagentshavevaryingrestrictionsforsupportingoperatingsystems,filetypes,applications
andbrowsers.
ContainmentsolutionsutilizeadditionalCPUandmemoryresources.Themorecontainersinuse,
thegreatertheimpact.
SampleVendors
ApplicationContainment:BlueRidgeNetworks,Bromium,Invincea,SandboxieandTrustware
MemoryMonitoring:Cyvera,ManTech/HBGary(DigitalDNA)andRSA(Ecat)
SystemConfigurationandProcessMonitoring:Triumfant
ReturntoTop
Style5EndpointForensics
EndpointForensicsservesasatoolforincidentresponseteams.Endpointagentscollectdatafromthe
hoststheymonitor.Thesesolutionsarehelpfulforpinpointingwhichcomputershavebeen
compromisedbymalware,andhighlightingspecificbehaviorofthemalware.Somesolutionsuse
variousindicatorsofcompromise(IOCs)todetectmaliciousbehaviorontheendpoint.ExamplesofIOCs
includesuspiciousMicrosoftWindowsregistrykeycreation,DNSrequestsorinstalledbinaries.
ReturntoTop
Strengths
Helpsautomatethetimeconsumingtaskofincidentresponse.
Monitorsactivityonhostswhentheyareonoroffcorporatenetworks.
Someagentsprovidelimitedcontainmentfeatures(forexample,preventingpreviouslydetected
malwarefromrunningagainoronotherendpointsinthecompany)andlimitedremediation
capabilities.
ReturntoTop
Challenges
Alackofabilitytoblockzerodayattacksinrealtime.
Deployingandmanagingendpointagentscanbeoperationallyintensive.
Atthetimeofthiswriting,supportfornonWindowsendpointsislimited.
Eventsarenotalwaysprioritizedandtypicallyrequireknowledgeablestafftoinvestigate.
SampleVendors
Bit9,CarbonBlack,GuidanceSoftware(EnCaseAnalytics),MandiantandManTech/HBGary(Responder
Pro)
ReturntoTop
UsingtheFramework
Becauseofthechallengesincombatingtargetedattacksandmalware,securityconsciousorganizations
shouldplanonimplementingatleasttwostylesfromthisframework.Theframeworkisusefulfor
highlightingwhichcombinationsofstylesarethemostcomplementary.Effectiveprotectioncomesfrom
combiningtechnologiesfromdifferentrows(forexample:network/payload,payload/endpointor
network/endpoint).Thesamelogicappliestomixingstylesfromdifferentcolumns(differenttime
horizons).Themosteffectiveapproachistocombinestylesdiagonallythroughtheframework.For
example,someusefulcombinationsofstylesfollow.
ReturntoTop
PayloadAnalysis(Style3)andEndpointForensics(Style5)
ThePayloadAnalysiscomponentdetectsthatmalwarehasenteredyourenvironment,andthe
EndpointForensicscomponenthighlightstheendpointsthathavebeencompromisedandprovides
detailsforeachcompromisedendpoint.SomePayloadAnalysisvendorshaveintegratedtheirsolutions
withEndpointForensicsvendors,whichhelpstoreduceincidentresponsetime.NetworkTrafficAnalysis
(Style1)andEndpointForensics(Style5)willprovidesimilarbenefits,buttherehavebeenfewer
partnershipsbetweenvendorsinthesestyles.
ReturntoTop
PayloadAnalysis(Style3)andNetworkForensics(Style2)
PayloadAnalysisdetectsthemalware,andtheNetworkForensicssolutioncanreplaythetrafficthatled
tothemalwareevent.PayloadAnalysissolutionsenableamoreefficientuseoftheNetworkForensics
toolsbyfocusingtheincidentrespondersonwheretolookamongtheterabytesofstoredpackets.
SomePayloadAnalysisvendorshaveintegratedtheirsolutionswithNetworkForensicsandpacket
capturevendors.
01/10/13 Five Styles of Advanced Threat Defense
www.gartner.com/technology/reprints.do?id=1-1IS72Q5&ct=130823&st=sb 5/5
ReturntoTop
NetworkTrafficAnalysis(Style1)andNetworkForensics(Style2)
Whilethisisanetworkcentricpairingthatlacksapayloadorendpointfocus,itiseffectivebecausethe
NetworkForensicstoolsprovidericherdetailthancanbeachievedfromsimplyrelyingonaNetwork
TrafficAnalysissolutionthatmaydosomebasicpacketcapture.SomeNetworkTrafficAnalysisvendors
haveintegratedtheirofferingswithNetworkForensicsandpacketcapturevendors.
Somevendors,particularlythelargerones,arealreadydeliveringsolutionsthatintegratetwoormore
styles.BecauseofthelowbarrierstoentryofStyle3(PayloadAnalysis),somefirewall,secureWeb
gatewayandIPSvendorshavealreadyaddedthisstyle,althoughthequalityofthesolutionsvaries
widely.Thebestsinglevendorapproacheswillbethosethatintegrateacrossrowsandacrosscolumns
oftheframeworktocombinethebroadestrangeofdetectionwiththebestforensicsfeatures.However,
whenenterprisesselectasinglevendor,integratedapproach,theysacrificebestofbreedfunctionality
frompureplayvendorsthatfocusononlyonestyle.
Contributinganalysts:NeilMacDonald,PeterFirstbrook,EricMaiwaldandAntonChuvakin.
ReturntoTop
2013Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.oritsaffiliates.Thispublicationmaynotbe
reproducedordistributedinanyformwithoutGartnerspriorwrittenpermission.Ifyouareauthorizedtoaccessthispublication,youruseofitissubjecttothe
UsageGuidelinesforGartnerServicespostedongartner.com.Theinformationcontainedinthispublicationhasbeenobtainedfromsourcesbelievedtobereliable.
Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformationandshallhavenoliabilityforerrors,omissionsorinadequacies
insuchinformation.ThispublicationconsistsoftheopinionsofGartnersresearchorganizationandshouldnotbeconstruedasstatementsoffact.Theopinions
expressedhereinaresubjecttochangewithoutnotice.AlthoughGartnerresearchmayincludeadiscussionofrelatedlegalissues,Gartnerdoesnotprovidelegal
adviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnerisapubliccompany,anditsshareholdersmayincludefirmsandfundsthat
havefinancialinterestsinentitiescoveredinGartnerresearch.GartnersBoardofDirectorsmayincludeseniormanagersofthesefirmsorfunds.Gartnerresearch
isproducedindependentlybyitsresearchorganizationwithoutinputorinfluencefromthesefirms,fundsortheirmanagers.Forfurtherinformationonthe
independenceandintegrityofGartnerresearch,seeGuidingPrinciplesonIndependenceandObjectivity.
AboutGartner|Careers|Newsroom|Policies|SiteIndex|ITGlossary|ContactGartner