Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Transcription

1 Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

2 Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 2 Executive Summary Promotion and promises from security vendors represent an aggressive grab for mindshare, making it difficult to separate reality from hype. To help sort out the reality of new advanced detection tools, Proofpoint has put together a short list of impactful tips, topics, and questions to apply to your evaluation and decision processes. Some of these tips take a hard look at reality and could impact your workload or the way that you build your security budget. At a minimum, these tips should help you ask more intelligent questions to security vendors. This paper, Advanced Threat Detection: Necessary but not Sufficient is the first Installment in our Blinded By the Hype Series that includes recommendations for banishing each Hype Scenario. New Detection Tools Mean MORE work for your team The stampede of new detection tools is a good thing, as you can t stop a threat if you don t know that it exists. The risk, however, is that detection tools are optimized to detect behaviors, actions, and communications that may put your business at risk. Optimizing detection means that these tools are very good at piecing together signals of a breach or infection, then reporting it. Notice that reporting doesn t imply stopping or containing the infection, meaning that data, personal records, or intellectual property may be leaving the building while you read the report. As the headlines have shown, even companies with some of the latest detection technologies fell short in the response process. Advanced detection was necessary, but not sufficient. Big Data, Security Analytics, and Behavioral Analysis marketing is based on the premise that purchasing new tools or services will enlighten you to threats affecting your network. They promise that new detection tools, techniques, and methods will make life better somehow - enabling you to operate from the common sense business platitude You can t improve on what you don t measure. In fact, once these tools are purchased, installed, and operating, your organization may have spent hundreds of thousands or even millions to confirm what you read in a press release or news stories -- that 70 to 95% of corporate networks have malware. The new technologies or tools didn t tell you how to stop the malware, how to stop people from clicking links, or stop zero day vulnerabilities from affecting your organization. The truth of the matter is that you potentially just spent $1M to confirm what you suspected. While you re more informed, you re likely no more secure then before you bought the tool. The question has shifted from do I have malware to one focusing on the time or resources to investigate, mitigate, and contain the hundreds or thousands of alerts you received from your recently purchased tool. Detection tools not only detect malware, but they can deliver hundreds or thousands of alerts and incidents that you must address. What s your Return on detection? Protection, right? Take a quick look at how some leading tools can boost their Return on detection by looking at their detection capabilities and how adding protection can close the loop. Detection Tools like FireEye and SIEM are Important, but FireEye The good news is that products like FireEye are very effective at detecting zero day attacks. The bad news is these alerts include a lot of information for analysts to digest, and if you re not prepared, the volume of alerts can be overwhelming. For example, one threat can have multiple binaries, multiple callback targets, and even multiple sources for file downloads. Some alerts may be malicious, some may be benign. Either way, each suspected malware infection, remote server connection, and potential callback warrants investigation. This investigation requirement for Incident Response teams that can be overwhelming, but to gain Return on detection from FireEye, you can t just detect the threat, you must act to stop the threat from spreading, doing more damage, and from exfiltrating data from your network. If a series of threats hits a network, they may target multiple systems, drop or download hundreds of files, and take dozens of actions that might be completely benign such as access a Microsoft domain or Twitter. Each action or alert may require investigation to understand which actions in the attack are decoy tasks, misdirections, aggressive evasive techniques, or false positives. Keep in mind, however, that these FireEye alerts are just one of many from alert sources that organizations use. These alerts are in addition to the alerts they already receive from their Firewalls, Intrusion Detection Systems, and SIEM tools.

3 Whitepaper Advanced Threat Detection: Necessary but Not Sufficient SIEMs Now Security Information and Event Management (SIEM) tools such as HP ArcSight do a good job of detecting server and network anomalies by aggregating machine and log data. Despite the fact that they reduce the number of alerts from millions of data points to thousands of potential threats, there s still a lot of information to digest from your SIEM. Combine this with the reality that SIEM technology was not designed to go deep into APT and threat data customers tell us their SIEMs are struggling to adapt to these new threats. In fact, we ve seen customers writing as many as 500 rules in order to filter out the noise yet they still required higher fidelity alert information. Depending on the patience of the business team auditing the ROI on the SIEM, Return on detection can be more easily calculated if you add measures that protect against threats reported by ArcSight. Palo Alto Networks Palo Alto Networks and other detection devices can generate a high number of critical alerts. One reaction is to lower the priority of the alerts, and in doing so, risk filtering out a hidden DDoS or other attack. Others will let these alerts through to gain a better picture of potential attacks on the network, but struggle through the manual investigation of the alerts. The obvious problem is that if all the alerts are tracked and reported as critical, there could be a huge security breach, a misconfiguration, a change in policy, or something else may be at work. Again, adding these detection tools reveals the extent that a network is under attack or may be compromised. If you are under attack, the fastest way to Return on detection for you purchase may be a tool or system to protect against reported threats. 3

4 Whitepaper Advanced Threat Detection: Necessary but Not Sufficient Detection tools running amok To put this into better perspective, below is a chart of the wide number of tools and vendors you may have heard about or seen at RSA and other security shows. Each vendor will take your money to detect problems or security threats on your network. What most of these vendors won t tell you is that if you detect a threat with their tools it s someone else s job to contain the problem. If your job involves detection, investigation, mitigation, and containment, you would have addressed the detection piece, but you haven t delivered a method to prove Return on detection, to fully justify the purchase of any of those detection tools. Malware Detection SIEM Log Management & Monitoring You Might Have a Problem How Do You Mitigate and Respond? Big Data Security Analytics Vulnerability & Risk Management 4

5 Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 5 Detection Protection? To summarize this point the hidden tip you won t hear from most security vendors is that new detection tools raise the awareness that you ve been breached, but unless you have a plan and ability to contain the threats you detect, you are not protected. Keep in mind that no manager wants to spend millions on detection and only to need more for protection. The new system found 200 alerts! Did you contain the threats? No, but detection works! Alert fragmentation Alert heap spray Alert Spyware Alert CVE-1425 Alert Spyware Doh! Then I suggest you get to work on that! Alert intrusion Alert adware Alert CVE-1428 Alert Unauthorized Alert Spyware Alert Login failure Recommendations When considering the purchase or introduction of any new detection technologies, ask the following questions: 1. If I purchase this detection system, will I see more security alerts? 2. If I see more security alerts, how much work is it to reduce the noisy alerts to the critical alerts? 3. Once I know which alerts are critical, how do I prioritize the alerts and contain the threat with this product? 4. How quickly can I take a security alert from this product and stop the threat that it finds? 5. What is the ROI of this product, and does this ROI include stopping detected threats? The Proofpoint Solution Proofpoint delivers best-of-breed products that encompass security analytics and response capabilities. Organizations without the time and money to custom code both predictive analytics and response tools that leverage big data (over 1 billion URLs review a day) and applied threat intelligence should consider the following products:»» Proofpoint Targeted Attack Protection (TAP) is a cloud-based security-as-a-service offering from Proofpoint that leverages Big Data infrastructure and applies advanced predictive analytics and sandboxing techniques to detect and manage new forms of attack including highly targeted and socially-engineered phishing attacks.»» Proofpoint Threat Response is a virtual appliance from Proofpoint that closes the gap between detection, verification, and protection. It includes built-in indicator of compromise (IOC) verification, connectors to Proofpoint TAP and other threat sources, and adapters to all major enforcement device vendors in a visually rich, yet elegant interface.

6 Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 6 Conclusions Security vendors can push their products and solutions at conference, online, and other security shows, but it s important that buyers understand the potential hand waving and pitfalls for buying into the hype without deeper evaluations. Advanced Threat Detection: Necessary but not Sufficient is the first tip in the Blinded by the Hype Series. Be sure to evaluate and purchase tools that allow you to close the loop between detection and containment, so you both detect and stop the threats you find. About Proofpoint Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving & governance, and secure communications. Organizations around the world depend on Proofpoint s expertise, patented technologies and on-demand delivery system to protect against phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information. Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 892 Ross Drive Sunnyvale, CA