Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Similar documents
End-user Security Analytics Strengthens Protection with ArcSight

End-to-End Application Security from the Cloud

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Integrating MSS, SEP and NGFW to catch targeted APTs

Streamlining Web and Security

The webinar will begin shortly

WHITE PAPER: THREAT INTELLIGENCE RANKING

SANS Top 20 Critical Controls for Effective Cyber Defense

Cisco Advanced Malware Protection for Endpoints

Breach Found. Did It Hurt?

INTRODUCING isheriff CLOUD SECURITY

Cisco Advanced Malware Protection for Endpoints

Combating a new generation of cybercriminal with in-depth security monitoring

Teradata and Protegrity High-Value Protection for High-Value Data

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

SPEAR PHISHING AN ENTRY POINT FOR APTS

Bridging the gap between COTS tool alerting and raw data analysis

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Redefining Incident Response

Metric Matters. Dain Perkins, CISSP

THE EVOLUTION OF SIEM

ALERT LOGIC FOR HIPAA COMPLIANCE

Countering Insider Threats Jeremy Ho

Proofpoint Uncovers Internet of Things (IoT) Cyberattack

FIVE PRACTICAL STEPS

Unified Security, ATP and more

Managing Security Risks in Modern IT Networks

SECURITY BEGINS AT THE ENDPOINT

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Securing Cloud-Based

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

SECURITY 2.0 LUNCHEON

Cisco Advanced Malware Protection

Achieve Deeper Network Security

White Paper. What the ideal cloud-based web security service should provide. the tools and services to look for

Find the intruders using correlation and context Ofer Shezaf

Addressing Legal Discovery & Compliance Requirements

Safeguarding the cloud with IBM Dynamic Cloud Security

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

RSA Security Analytics

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Carbon Black and Palo Alto Networks

Strengthen security with intelligent identity and access management

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

IBM Advanced Threat Protection Solution

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Vulnerability Management

Defending Against Cyber Attacks with SessionLevel Network Security

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

The Benefits of an Integrated Approach to Security in the Cloud

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

WildFire. Preparing for Modern Network Attacks

High End Information Security Services

PCI DSS Reporting WHITEPAPER

Security strategies to stay off the Børsen front page

McAfee Network Security Platform

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

Practical Threat Intelligence. with Bromium LAVA

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Endpoint Threat Detection without the Pain

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Security Operations Metrics Definitions for Management and Operations Teams

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

24/7 Visibility into Advanced Malware on Networks and Endpoints

Enterprise-Grade Security from the Cloud

WhatWorks in Detecting and Blocking Advanced Threats:

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Attacks from the Inside

Guidance Software Whitepaper. Best Practices for Integration and Incident Response Automation Using EnCase Endpoint Security

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

CyberArk Privileged Threat Analytics. Solution Brief

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

How To Buy Nitro Security

THE TOP 4 CONTROLS.

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Security Intelligence Services.

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

The Cloud App Visibility Blindspot

Transcription:

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 2 Executive Summary Promotion and promises from security vendors represent an aggressive grab for mindshare, making it difficult to separate reality from hype. To help sort out the reality of new advanced detection tools, Proofpoint has put together a short list of impactful tips, topics, and questions to apply to your evaluation and decision processes. Some of these tips take a hard look at reality and could impact your workload or the way that you build your security budget. At a minimum, these tips should help you ask more intelligent questions to security vendors. This paper, Advanced Threat Detection: Necessary but not Sufficient is the first Installment in our Blinded By the Hype Series that includes recommendations for banishing each Hype Scenario. New Detection Tools Mean MORE work for your team The stampede of new detection tools is a good thing, as you can t stop a threat if you don t know that it exists. The risk, however, is that detection tools are optimized to detect behaviors, actions, and communications that may put your business at risk. Optimizing detection means that these tools are very good at piecing together signals of a breach or infection, then reporting it. Notice that reporting doesn t imply stopping or containing the infection, meaning that data, personal records, or intellectual property may be leaving the building while you read the report. As the headlines have shown, even companies with some of the latest detection technologies fell short in the response process. Advanced detection was necessary, but not sufficient. Big Data, Security Analytics, and Behavioral Analysis marketing is based on the premise that purchasing new tools or services will enlighten you to threats affecting your network. They promise that new detection tools, techniques, and methods will make life better somehow - enabling you to operate from the common sense business platitude You can t improve on what you don t measure. In fact, once these tools are purchased, installed, and operating, your organization may have spent hundreds of thousands or even millions to confirm what you read in a press release or news stories -- that 70 to 95% of corporate networks have malware. The new technologies or tools didn t tell you how to stop the malware, how to stop people from clicking links, or stop zero day vulnerabilities from affecting your organization. The truth of the matter is that you potentially just spent $1M to confirm what you suspected. While you re more informed, you re likely no more secure then before you bought the tool. The question has shifted from do I have malware to one focusing on the time or resources to investigate, mitigate, and contain the hundreds or thousands of alerts you received from your recently purchased tool. Detection tools not only detect malware, but they can deliver hundreds or thousands of alerts and incidents that you must address. What s your Return on detection? Protection, right? Take a quick look at how some leading tools can boost their Return on detection by looking at their detection capabilities and how adding protection can close the loop. Detection Tools like FireEye and SIEM are Important, but FireEye The good news is that products like FireEye are very effective at detecting zero day attacks. The bad news is these alerts include a lot of information for analysts to digest, and if you re not prepared, the volume of alerts can be overwhelming. For example, one threat can have multiple binaries, multiple callback targets, and even multiple sources for file downloads. Some alerts may be malicious, some may be benign. Either way, each suspected malware infection, remote server connection, and potential callback warrants investigation. This investigation requirement for Incident Response teams that can be overwhelming, but to gain Return on detection from FireEye, you can t just detect the threat, you must act to stop the threat from spreading, doing more damage, and from exfiltrating data from your network. If a series of threats hits a network, they may target multiple systems, drop or download hundreds of files, and take dozens of actions that might be completely benign such as access a Microsoft domain or Twitter. Each action or alert may require investigation to understand which actions in the attack are decoy tasks, misdirections, aggressive evasive techniques, or false positives. Keep in mind, however, that these FireEye alerts are just one of many from alert sources that organizations use. These alerts are in addition to the alerts they already receive from their Firewalls, Intrusion Detection Systems, and SIEM tools.

Whitepaper Advanced Threat Detection: Necessary but Not Sufficient SIEMs Now Security Information and Event Management (SIEM) tools such as HP ArcSight do a good job of detecting server and network anomalies by aggregating machine and log data. Despite the fact that they reduce the number of alerts from millions of data points to thousands of potential threats, there s still a lot of information to digest from your SIEM. Combine this with the reality that SIEM technology was not designed to go deep into APT and threat data customers tell us their SIEMs are struggling to adapt to these new threats. In fact, we ve seen customers writing as many as 500 rules in order to filter out the noise yet they still required higher fidelity alert information. Depending on the patience of the business team auditing the ROI on the SIEM, Return on detection can be more easily calculated if you add measures that protect against threats reported by ArcSight. Palo Alto Networks Palo Alto Networks and other detection devices can generate a high number of critical alerts. One reaction is to lower the priority of the alerts, and in doing so, risk filtering out a hidden DDoS or other attack. Others will let these alerts through to gain a better picture of potential attacks on the network, but struggle through the manual investigation of the alerts. The obvious problem is that if all the alerts are tracked and reported as critical, there could be a huge security breach, a misconfiguration, a change in policy, or something else may be at work. Again, adding these detection tools reveals the extent that a network is under attack or may be compromised. If you are under attack, the fastest way to Return on detection for you purchase may be a tool or system to protect against reported threats. 3

Whitepaper Advanced Threat Detection: Necessary but Not Sufficient Detection tools running amok To put this into better perspective, below is a chart of the wide number of tools and vendors you may have heard about or seen at RSA and other security shows. Each vendor will take your money to detect problems or security threats on your network. What most of these vendors won t tell you is that if you detect a threat with their tools it s someone else s job to contain the problem. If your job involves detection, investigation, mitigation, and containment, you would have addressed the detection piece, but you haven t delivered a method to prove Return on detection, to fully justify the purchase of any of those detection tools. Malware Detection SIEM Log Management & Monitoring You Might Have a Problem How Do You Mitigate and Respond? Big Data Security Analytics Vulnerability & Risk Management 4

Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 5 Detection Protection? To summarize this point the hidden tip you won t hear from most security vendors is that new detection tools raise the awareness that you ve been breached, but unless you have a plan and ability to contain the threats you detect, you are not protected. Keep in mind that no manager wants to spend millions on detection and only to need more for protection. The new system found 200 alerts! Did you contain the threats? No, but detection works! Alert fragmentation Alert heap spray Alert Spyware Alert CVE-1425 Alert Spyware Doh! Then I suggest you get to work on that! Alert intrusion Alert adware Alert CVE-1428 Alert Unauthorized Alert Spyware Alert Login failure Recommendations When considering the purchase or introduction of any new detection technologies, ask the following questions: 1. If I purchase this detection system, will I see more security alerts? 2. If I see more security alerts, how much work is it to reduce the noisy alerts to the critical alerts? 3. Once I know which alerts are critical, how do I prioritize the alerts and contain the threat with this product? 4. How quickly can I take a security alert from this product and stop the threat that it finds? 5. What is the ROI of this product, and does this ROI include stopping detected threats? The Proofpoint Solution Proofpoint delivers best-of-breed products that encompass security analytics and response capabilities. Organizations without the time and money to custom code both predictive analytics and response tools that leverage big data (over 1 billion URLs review a day) and applied threat intelligence should consider the following products:»» Proofpoint Targeted Attack Protection (TAP) is a cloud-based security-as-a-service offering from Proofpoint that leverages Big Data infrastructure and applies advanced predictive analytics and sandboxing techniques to detect and manage new forms of attack including highly targeted and socially-engineered phishing attacks.»» Proofpoint Threat Response is a virtual appliance from Proofpoint that closes the gap between detection, verification, and protection. It includes built-in indicator of compromise (IOC) verification, connectors to Proofpoint TAP and other threat sources, and adapters to all major enforcement device vendors in a visually rich, yet elegant interface.

Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 6 Conclusions Security vendors can push their products and solutions at conference, online, and other security shows, but it s important that buyers understand the potential hand waving and pitfalls for buying into the hype without deeper evaluations. Advanced Threat Detection: Necessary but not Sufficient is the first tip in the Blinded by the Hype Series. Be sure to evaluate and purchase tools that allow you to close the loop between detection and containment, so you both detect and stop the threats you find. About Proofpoint Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving & governance, and secure communications. Organizations around the world depend on Proofpoint s expertise, patented technologies and on-demand delivery system to protect against phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information. Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 892 Ross Drive Sunnyvale, CA 94089 1.408.517.4710 www.proofpoint.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information