Protecting the Way People Work: Best Practices for Detecting and Mitigating Advanced Persistent Threats The sprawling attack surface of modern business is making the challenge of detecting and mitigating advanced threats increasingly difficult. Cyberwarfare battlegrounds are compounding in complexity as mobile, social media and cloud applications are now concerning sources for data leakage and compliance violations. More critical information is being created, sent, shared and stored in ever more locations. It is clear that defensein-depth is paramount, yet the question remains: How should organizations prioritize resources to effectively protect today s workforce from advanced threats? In this report: 4 From the Gartner Files: for Detecting and Mitigating Advanced Persistent Threats 17 About Proofpoint, Inc.
It is no secret that all advanced threats target people and that will never change. Adversaries continue to use social engineering and social networks to trick people into sharing sensitive information through familiar interactions with perceivably trusted sources. People are the weakest link in the security chain and regardless of how robust the technology stronghold or thorough the training, people are fallible. Therefore, if organizations want to protect their people from advanced attacks, they not only need to harmoniously coordinate network, edge, endpoint and data protection solutions, they need to make sure that those solutions align with the way people work. Proofpoint solutions align with Gartner for detecting and mitigating advanced threats. The Proofpoint product portfolio aligns closely with Gartner s recommended best-practice strategies (detailed on page 3) by providing solutions that: Adapt and form to changes in the threat landscape. Are easily maintained through the cloud, allowing value to be realized immediately. Unify security response processes among technologies by design, through seamless data integration and functional automation. Utilize community-based threat intelligence derived from organizations worldwide, to respond faster to known threats. Proofpoint is adeptly positioned to provide cybersecurity solutions to address known and unknown advanced threats, including credential phishing, polymorphic and zero-day attacks. Proofpoint products equip organizations to focus their infrastructure protection strategy toward malicious content, backed by with years of industryleading expertise and proven, real-world efficacy. Proofpoint stops advanced threats before they reach the people they target. Proofpoint protects people in all the communication channels where attackers target them: email, social media and mobile apps. Because solutions are in the flow of these channels, organizations have better, more insightful contextual information to stop attacks before they ever reach their targets. Contextual awareness is critical in advanced threat detection, validation and containment, especially when it comes to being able to identify the people who are being targeted. Proofpoint email content security solutions preemptively examine both URLs and attachments for email-based threats with modern techniques, such as content sandboxing and URL rewriting. Proofpoint has the unique ability to use predictive analytics to identify and block suspicious URLs before users click on them. Moreover, Proofpoint correlates everything learned about the attackers and their tools to stop the next attack faster. Proofpoint protects the information people create from advanced attacks and compliance violations. Proofpoint helps organizations reduce their attack surface wherever sensitive information resides finding the sensitive data users create, and protecting it as it is sent, stored and archived. Because solutions are powered by the cloud, Proofpoint can both update and deploy defenses rapidly, staying ahead of even advanced and targeted attacks everywhere users go on any network or any device. Proofpoint enables people to respond quickly when things go wrong. Proofpoint recognizes that no security solution is bulletproof, nor is any single technology product the universal panacea to stop all advanced, targeted attacks. Attacks will always get through and when they do, people need to be ready. 2
Only Proofpoint provides end-to-end insight of attacks, not only showing what is blocked but also what is detected, delivered and clicked with detailed forensic information. This information is backed by ongoing integration of trusted community-based threat intelligence, curated by the Proofpoint team of dedicated threat researchers and analytics systems. The result is pure, originally-sourced threat intelligence on IP addresses, domains, malware samples and exploit kits from direct observations from global organizations all maintained current and made possible through the Proofpoint Cloud. Furthermore, Proofpoint can improve automated monitoring, correlation and analysis by enabling people to respond to incidents faster giving them the intelligence to prioritize what to do and the tools that orchestrate the right response. Proofpoint is committed to giving organizations the power to protect the way their people work today. For more information on Proofpoint solutions, please visit www.proofpoint.com. Source: Proofpoint 3
From the Gartner Files: for Detecting and Mitigating Advanced Persistent Threats Information security practitioners must implement specific strategic and tactical to detect and mitigate advanced persistent threats and targeted malware by leveraging both existing and emerging security technologies in their security architectures. Key Challenges Management silos between network, edge, endpoint and data security systems can restrict an organization s ability to prevent, detect and respond to advanced attacks. Adversaries continue to use social engineering and social networks to target sensitive roles or individuals within an organization that either have knowledge of, use of or access to the data targeted. Attackers often move laterally within the enterprise environment, attacking low-priority assets first as a launching pad to compromise adjacent higher-value systems. Most organizations rely on low overhead prevention techniques, such as firewalls and antivirus solutions. Breach data shows that incident response must be improved. Recommendations Use Gartner s adaptive security architecture to evaluate existing capabilities in all four stages of the security life cycle, and seek to fill in gaps. Perform a business impact and threat assessment analysis with business leaders to categorize threats, users and digital assets into high-, medium- and low-priority classifications to enable faster alert response on high-impact threats, events and critical assets. Where practical, improve SIEM capabilities to include integrations with multiple security tools to improve contextual awareness and provide a higher-level alert management capability. Acknowledge that not all threats can be prevented, and therefore, the speed to detect and respond to incidents is also critical. Introduction Security practitioners now acknowledge the term advanced persistent threat (APT) and concede that there are advanced threats 1 that are targeting their businesses, bypassing traditional security protection techniques and residing undetected while exfiltration of data occurs from within the organization s environment. 2 This research will enable security practitioners and strategists to understand some of the threats they face and the best-practice steps that must be taken to reduce the risk of compromise against the advanced adversaries taking direct aim at their organizations. Gartner currently estimates that in 2014, organizations spent a total of $985 million on advanced threat detection and prevention technologies. The total market estimate breaks down to $582 million on network sandbox providers, $232 million on endpoint detection and response, $58 million on cloud sandbox solutions, and $113 million on network behavior analysis (NBA). These markets and technologies continue to have strong interest from Gartner clients and have supported double-digit growth rates during the past several years. Gartner expects continued interest in these capabilities, as organizations grapple with increasing detection and prevention capabilities within their environments. 4
Analysis Implement Tactical Best-Practice Controls Best-Practice Strategies Use a comprehensive approach; no one single technology will stop advanced targeted attacks, even products targeted specifically at advanced forms of attack. Implementing proper system and application patching is one of the single most successful defenses, so you must get this process right, and you must maintain a consistent and rapidly paced patch management process to be effective. Review your existing technologies and compare them to the Gartner adaptive security architecture. Utilize advanced features in the latest products or services to keep up with changes in the threat landscape. Also read Five Styles of Advanced Threat Defense for a framework to compare the styles of APT-targeted defense technologies. Acknowledge that technology alone won t stop APTs; an effective strategy must include the search for compromised systems, improvements in your forensics and incident response capabilities, rapid response, proper system configuration, and selection of the appropriate security technologies. Review the in this document, but do so with the mindset of unifying the security processes between each technology so that effective response to threats is possible and the detection and reduction of breach events is the more likely result. Perform roundtable exercises to examine how you will properly use the tools at your disposal, and brainstorm on the variety of ways an attack can be detected and can unfold in your environment. C-level executives must recognize the need to staff appropriately to effectively operate the latest security technologies your organization deploys to protect itself. If necessary, engage third parties to manage or operate more mature security controls, while the IT staff focuses more on the strategic security processes and technologies. Adaptive security architectures should be key requirements when evaluating the next generation of security protection technologies (network, endpoint, edge and so on). For example, adaptive security controls and processes will introduce orchestration and graduated response enforcement that can adapt when malfeasance is detected in external integrated controls. Seek integrated cross-product security controls that provide telemetry and adaptive responses to detection events. Furthermore, inquire with your network firewall provider about its latest security capabilities to address APTs and its ability to deliver intelligenceaware and adaptive responses. Ongoing integration and trusted communitybased threat intelligence sharing among your disparate security technologies, business partners and other third-party or vertically aligned organizations should be a stated security program goal. What Must Be Adopted to Reduce the Threat of APTs? Keep Up to Date With the Threat Landscape Subscribe to security intelligence services that regularly provide information to keep up with the latest malicious activities and event information, as well as exploitation. Review your IT security department s education budget, and ensure you have allocated continuing education for security-specific education initiatives for both your security 5
team and your organization for mitigating the latest techniques used to reduce the potential delivery of advanced forms of malware (for example, how to avoid phishing attacks and how to analyze malware). Create a role-centric and user-centric security awareness program focusing on educating employees on the sensitive roles they hold, so that these employees better understand how attackers are attempting to gain access to company data and how that data is likely to be used maliciously. For example, this program should include (but is not limited to) departments such as finance, accounts payables, human resources and business operations that have access to sensitive data types; they should be well-versed in techniques attackers are using to get at their sensitive data. Invest in forensics and malware sandbox analysis capabilities, but realize that incident response workloads will increase midsize and small organizations should consider outsourced incident response models to augment staff against resource constraints. For enterprises, IT management should ensure appropriate levels of education on malware analysis and incident response are a critical focus area for the members associated with these functions. Consider extending your involvement with external information and security-related organizations (see Note 1) and vertically aligned industry groups to enhance knowledge, threat intelligence sharing and collaboration of your security team with others in aligned industries. Establish relationships with governmentsponsored security threat and informationsharing programs 3 to boost both collaboration and response characteristics of your incident response procedure or process. Determine if your vertical has an aligned Information Sharing and Analysis Center (ISAC) and establish a relationship. (Examples include the Financial Services Information Sharing and Analysis Center [FS-ISAC], Red Sky Alliance, the Forum for Incident Response and Security Teams [FIRST], InfraGard, and the Computer Emergency Response Team/Computer Security Incident Response Team [CERT/CSIRT].) Assign at least one security team member to regularly review security news articles, publications and critical infrastructure protection alerts while comparing and contrasting this information with your current vulnerabilities and known risk profile. Hunt for compromised systems, as well as prioritize essential remediation efforts. Thwart Social Engineering Techniques Through Education Review company policy to ensure that it has taken appropriate steps to prevent the inappropriate posting of internal information onto public social media sites. Your policy should extend the applicability of the data classification framework to data posted to external sites, and it should include punitive language, such as a termination clause. Data loss prevention (DLP) technologies may provide on-the-spot education for sensitive data use, as well as provide the benefit of enforcement. Ensure that your end-user security awareness programs highlight that disclosure of current or active individual job role information onto the Internet is discouraged by the company (keep mindful of freedom of speech issues). Also highlight that this information is often used by attackers to identify employees to attack with targeted malware content and malicious URLs. Augment your awareness campaigns to properly describe and demonstrate how attackers are using external data repositories to generally target employees through the 6
use of social engineering techniques to gain their trust, and stress the importance of the suspicious mindset for all communications through email and via the Web. Social engineering attacks will often target the acquisition of user credentials via malware. Therefore, it is important that an organization monitor when there are variances in user authentication times; for example, users logging on at odd hours of the day or simultaneously at a different geolocation. User behavior analysis technologies can be an important tool for detecting and alerting on these events. That Apply to All Technical Control Layers Ensure you are using the latest offerings and engines from your endpoint protection platform provider. Standardize on a short turnaround for testing and deploying signature updates. Most platforms have evolved well beyond purely signature-based approaches for malware detection to include cloud-based reputation scoring, emulation, behavioral and anomaly detection capabilities. Evaluate the context and intelligence-sharing capabilities of your security platform provider. Security platforms must become contextaware identity-, application-, content-, location-, geolocation- and intelligence-aware in order to make better information security decisions regarding APTs. If your provider doesn t have this capability or doesn t have it on its roadmap, consider switching providers. Offer linkage into reputation services. Like content, pure blacklisting-based approaches for Internet Protocol (IP) address filtering, URL filtering and email sender filtering no longer work. Next-generation security platforms incorporate cloud-based community context for determining the relative reputation of an entity, typically an IP address or URL. At a minimum, communications with IP addresses and URLs with low reputations should be logged, and some organizations will choose to block these entirely. Alternatively, you could scale up to use a full-blown machine-readable threat intelligence (MRTI) approach to have your network devices dynamically adapt to changing threat landscape. Enable activation of DLP capabilities. Most security policy enforcement points have embedded DLP capabilities to detect when sensitive data is being handled by each layer. Alternatively, these security platforms may integrate with enterprise content-aware DLP offerings for their patterns. Review and implement DLP capabilities of the platform to ensure it is configured to detect. Use a workflow to provide approvals of or block the release of sensitive data types, such as credit card numbers, intellectual property and personally identifiable information as needed. Provide integration into security information and event management (SIEM). All of the security platforms in this document create logs of activity and events. Consolidating this vital data into broader SIEM platforms increases the ability to correlate and report events in integrated fashion, enabling more effective incident response prioritization. Upgrade Your Perimeter and Network- Based Security for IPsec and SSL VPN Remote Access Connections Review your VPN devices, and ensure all users are required to utilize a risk-appropriate authentication method prior to authorization. Review your VPN device policy, and ensure that users are permitted only to the internal environment that they specifically need to access and not to the entire organization. 7
Implement internal network inspection devices, such as intrusion prevention system (IPS) and NBA technologies between your VPN termination device and your internal network environment, so that attacks or behaviors can be discovered or prevented within your remote access network infrastructure. Consider technologies that allow for the termination and security inspection of Secure Sockets Layer (SSL) traffic so that attacks cannot be perpetrated in the encrypted tunnel back to your internal applications or systems obfuscated from your security inspection technologies. Validate that monitoring controls are in place and that appropriate levels of logging are performed off-device in centralized log servers. Deploy security information management systems so that attacks can be detected or analyzed through additional behavior-based analysis or correlation of incoming events. Send VPN events to SIEM and user behavior analysis tools. Regularly review VPN events identified, ensure these are correlated in your SIEM technology and look for anomalous patterns of activity. Leverage vendor-supplied anomaly detection and alerting capabilities when technically feasible. Where possible, reduce the use of direct network-level VPN access and shift to Webenabled access or application-level VPNs. For mobile devices, consider implementing enterprise mobility management (EMM) technology to ensure basic consistency of security controls that are extended out to mobile devices and to ensure compliance with these policies before VPN access is granted. User authentication technology providers: Authentify; Duo Security; Gemalto; HID Global; RSA, The Security Division of EMC; TeleSign; SafeNet; SecureAuth; SecurEnvoy; SMS Passcode; Symantec; TeleSign; and Vasco Stand-alone SSL VPN providers: Barracuda Networks, Cisco Systems, Citrix and Juniper Networks Mobile device management providers: Air- Watch, Citrix, Good Technology, IBM, MobileIron, SAP and Soti Next-Generation Firewalls and Unified Threat Management Consider the use of application awareness (a form of context awareness) provided in next-generation firewall (NGFW) and unified threat management (UTM) functionality that leverages deep packet inspection techniques to permit valid (authorized) applications and deny everything else. To enable the application control functionality, you may need to perform a firewall refresh if you use legacy firewalls that provide only filtering based on IP protocols, source and destination IP address, and port numbers. Review and, if necessary, adjust your network firewall rules to ensure only business-critical services are permitted to both enter and leave the network; this includes the consideration of geographical filtering at the country level (Geo-IP filtering). Review and, if necessary, adjust your ingress network firewall rules to ensure only critical inbound services are permitted to enter the network; this also includes geographical blocking or filtering at the country level based on business need. 8
Review and (if available) regularly implement new capabilities provided by the latest firewall technologies to incorporate dynamic threat feeds that are provided via hosted or cloud-based services to deliver malicious threat lists for instant blocking at the firewall (don t allow your firewall technology to stagnate). Ensure proper zoning and segmentation are performed in your internal network environment (not just the demilitarized zone [DMZ]) and that adequate firewall logging and inspection is performed between high- and low-security segments. The separation of operational and management network zones is essential in maintaining operational security. Prefer firewall intrusion prevention solutions that can perform blocking of suspicious Domain Name System (DNS) queries to disrupt malicious domains (for example, domain generation algorithm-based malware command and control). Review and implement the latest firewall capabilities to perform advanced examination of executables and other content using emulation and/or virtualization (sandbox) technologies either hosted in a cloud or on a separate appliance to identify targeted polymorphic malware through behavioral analysis. NGFW vendors: Check Point Software Technologies, Cisco Systems, Dell, Fortinet, Juniper Networks and Palo Alto Networks Intrusion Prevention Technologies Review and, if necessary, adjust intrusion prevention security enforcement policies to block rather than just detect known attacks and attack signatures, and selectively enable more signatures when possible. Use blocking to reduce noise so the team can focus on real APTs versus common known attacks in which IPS products can defend against. Decide acceptable trade-off between potential false positives and better APT prevention or detection. Review your IPS, and ensure that the technology you are using has the latest botnet prevention technology to prevent botnet command and control network activity. Likewise, see if communications to other types of lowreputation IP addresses can be blocked or allowed and logged for further investigation. Review your IPS s features, as well as ensure that it provides host and traffic anomaly detection (for example, using processing NetFlow data) and that it has capabilities to prevent or, at minimum, detect and alert on the anomalous (statistically deviant) traffic and DNS queries exiting through your perimeter networks. Review your current intrusion prevention implementation and, if available, implement blocking capabilities that include reputationbased or real-time block list threat feeds provided by your technology vendor. Review and, if necessary, adjust protocol anomaly detection and prevention capabilities to ensure nonstandard communications are blocked, while expected and authorized protocol communications are allowed through known standard ports such as HTTP (TCP port 80), while not permitting an FTP session through the standard HTTP port. Review and ensure all critical and Internet traversal network segments are inspected with IPSs that are configured to block known highand medium-high-fidelity signatures with low false positives, as directed by your technology provider. Make sure that network visibility extends into virtualized environments either by tapping internal virtual switch traffic out for external 9
inspection or by virtualizing IPS capabilities and running directly within the virtualized environment. Terminate inbound encrypted sessions so that session content may be inspected (to the extent that you are permitted by internal policy or external regulations). Consider implementing outbound SSL decryption to thwart malware that utilizes encrypted sessions for command and control traffic (consider privacy and legal ramifications when proceeding). Consider deploying distributed denial of service (DDoS) solutions either as an appliance form factor or as a cloud service. For higherprofile (often targeted) enterprises, use a hybrid of both on-premises DDoS prevention appliances and external DDoS services. Stand-alone IPS appliance providers: Check Point Software Technologies, Cisco Systems; HP, IBM, Intel Security and Radware DDoS mitigation appliance providers: A10 Networks, Arbor Networks, Corero Network Security, F5, Fortinet, Huawei, NSFOCUS and Radware DDoS mitigation service providers: Akamai, Arbor Networks, Black Lotus, CloudFlare, DOSarrest, Incapsula, Link11, Neustar and Nexusguard Web Application Security Combine both static and dynamic code analysis to reduce vulnerabilities in Web applications. Acknowledge that internal procedures and static code analysis are no longer enough to protect against common Web vulnerabilities and that Web application firewalls are an essential ingredient to the defense against advanced targeted Web attacks. Prefer solutions that have comprehensive coverage and specific threat detection templates for protecting common Web front ends and content management systems used for your enterprise Web applications. Prefer Web application firewalls that have the capability to share intelligence via reputation feeds, offer fraud detection services, and offer the capability to perform browser and endpoint security and spyware infection assessment. Prefer Web application firewalls that support virtual patching integration with static application security testing/dynamic application security testing (SAST/DAST) software. Consider augmenting your internally developed applications with runtime application self-protection (RASP) technology. Review your Web application firewall configuration, and implement vendor-recommended prevention settings versus using only its detection capabilities to reduce the application attack surface. Application security testing providers: HP, IBM, NT OBJECTives, Qualys, Trustwave, Veracode and WhiteHat Security Web application firewall providers: Barracuda Networks, Bee Ware, Citrix, DenyAll, F5, Imperva, Riverbed and Trustwave Web application firewall service providers: Akamai, Applicure Technologies, CloudFlare, Incapsula, Qualys and Radware RASP providers: Bluebox Security, Checkmarx, HP, Key Resources Inc. (KRI), Prevoty, Quotium, Shape Security and Waratek 10
Network and Cloud-Based Sandboxes Evaluate and deploy a network-based advanced threat detection/prevention (network sandboxing) technology to reduce the potential impact of zero-day malware and other targeted attacks. Review your existing advanced threat detection/prevention technology, and ensure that you take appropriate steps to employ any prevention capabilities provided, as directed by your technology vendor, while considering any negative impacts to your environment s specific needs. Review your advanced threat protection appliance deployment, and ensure that all (especially Web and email) network connections to the Internet are inspected (include SSL decryption if possible). If available, leverage sandboxing of unknown files by scanning files on network shares or storage locations to identify malicious files dormant in your environment. Properly employ your incident response processes around this new technology, and execute the process either when appropriate indications exist for a potential malware infection, or when command and control callbacks are detected. Recognize that mobile devices, such as laptops, Ultrabooks, tablets and smartphones, must be addressed with endpoint security controls, mobile device security technologies, and secure Web and email gateway services because the interception of their off-premises network traffic may not be practical. Stand-alone network sandbox appliance providers: AhnLab, Blue Coat, Check Point Software Technologies, Cisco Systems, Cyphort, Damballa, FireEye, Fortinet, General Dynamics Fidelis Cybersecurity Solutions, Intel Security, Lastline, Palo Alto Networks and Trend Micro Integrated firewall and cloud-based sandbox service providers: Barracuda Networks, Check Point Software Technologies, Cisco Systems, Fortinet, Juniper Networks and WatchGuard Focus Your Infrastructure Protection Strategy Toward Malicious Content Email Content Security To increase detection and prevention rates, use diversity in the source of antivirus engines that will scan email content; for example, use one antivirus engine at the email gateway and use an alternative antivirus engine for your endpoint systems. Ideally, the email gateway would support the use of multiple engines. Review and ensure your mobile device security includes threat inspection of all email going to and from mobile devices (consider privacy and legal ramifications when proceeding). Review your email security gateway or software, and ensure you have set it to the highest threshold for malware and phishing detection and prevention. Phishing continues to be a consistent method used to target roles within organizations globally with sensitive data access. 4 Strip or quarantine all executable content from email attachments, and ensure that all email content types and attachments are being evaluated for malware. Review and consider secure email gateways (SEGs) that implement specific protection technology for both URL links and attachments with active content that cannot be 11
blocked by policy (that is, PDF and.doc file types). For attachment-type attacks, consider content sandboxing (virtual environment emulation in code execution), also called sandbox technology. This technology allows attachments to be tested within a virtualized or emulated simulation environment prior to delivery and subsequent execution on the destination endpoint system of the recipient. For attachment-type attacks, consider solutions (which may be less optimal but still effective) that strip or neuter active content in commonly used document types. For URL link attacks, consider solutions that rewrite suspect URLs, such that they are proxy at the time of click. Do not assume URL protection is redundant due to secure Web gateway technology; emails can be read and acted upon when devices are outside the perimeter or with other machines using Outlook Web Access. Use SEG DLP technology tactically in the absence of enterprise DLP to detect sensitive or secret data traversing the email gateway. SEG and service vendors: AppRiver, Barracuda Networks, Cisco Systems, Intel Security, Proofpoint, Sophos, Spamina, Symantec, Trend Micro, Trustwave and Websense Web Content Security Deploy a secure Web gateway (SWG) or equivalent technology in order to inspect, filter and monitor inbound content and outbound Internet Web communications. Keep your SWG software up to date with the latest version as soon as possible to maintain security because threats and technology capabilities in these platforms change over time. Review your URL filtering configuration, and ensure that known proxy sites, hacking sites, phishing URLs and other malicious site categories within your Web filtering product or service are blocked. Implement real-time block lists to block hosts that have already been determined to pose an existing threat, as well as implement reputation feeds to block hosts that are suspect. Review incumbent SWG vendors capability to ensure that the most advanced malware detection capability has been licensed. Be aware that it may be necessary to add more security capability if the incumbent solution is designed primarily for productivity filtering or network optimization. Review and utilize advanced security capabilities provided by the SWG beyond the capabilities of simple real-time block lists. Many solutions do not turn on advanced techniques by default due to performance impact. Ensure that SWG solutions are sized to manage traffic adequately, with all advanced detection methods turned on. Review and implement, where possible, content sandboxing (virtual environment/emulation and code execution); virtual sandbox technology permits code to be tested within a virtualized simulated environment that allows malware to be evaluated for common malicious behavior prior to delivery and subsequent execution on the end system. Use your SWG solution to inspect mobile device traffic, such as traffic from laptops, small office/home office (SOHO) devices, smartphones and tablets; this may require a cloud-based solution or use of VPN technology to backhaul traffic over a tunneled VPN. 12
Prefer SWG solutions that are capable of detecting all malicious outbound protocols (that is, not just HTTP) for indicators of infection and that provide suitable alerts, as well as data, to trace and remediate infected hosts. Ensure that the SIRT or endpoint administrators have access to outbound reporting that shows potentially infected machines or abnormal traffic patterns. Use SWG DLP technology tactically in the absence of enterprise DLP to detect sensitive or secret data traversing the Web gateway. SWG and service vendors: Blue Coat, Cisco Systems, Intel Security, Symantec, Trend Micro, Websense and Zscaler Uplift Your Endpoint Security Controls and Detection Stance Remove administrative privileges on desktops to reduce the ability of malware infections to cause low-level system damage. Where privileged access is needed, use a privileged account activity management (PAAM) technology or an application control solution to properly manage the on-demand escalation of privileges and/or the use of privileged applications. Implement a vulnerability assessment and remediation process with service-level agreements for the remediation of all endpoints. Review the effectiveness of remediation efforts across IT support teams on a quarterly basis with responsible parties and/or the responsible parties management team. Extend your patch management processes to all common desktop elements, especially Internet-facing applications (for example, Adobe, Java and alternative browsers) while prioritizing vulnerabilities that will commonly be used to deliver malware. Review your existing endpoint antivirus products to ensure they are the latest version, and uplift, if necessary, to include complete anti-malware protection, potentially unwanted program detection, and other malware detection and prevention capabilities. Add host and server intrusion prevention capabilities to your endpoint systems that handle sensitive data types, and leverage attack signatures blocking high-fidelity critical high- and medium-attack signatures with low false-positive rates as suggested by your security technology provider. Endpoints routinely handling sensitive data or fixed-function devices for roles and users who have high-security access credentials should leverage application control technology to limit application execution to known good applications. For lean-forward organizations, consider deploying application containment to isolate risky applications, such as browsers and PDF viewers, from the core endpoint system resources where these applications are the primary avenue of attack. For lean-forward organizations, consider deploying endpoint threat detection and response tools to detect indicators of compromise, and accelerate and improve malware remediation and SIRT investigation. Consider systematically resetting desktop and server workloads to high-assurance states as a way to proactively remove ATA footholds. For lean-forward organizations, implement network and system behavior analysis capabilities on your endpoint systems to detect potentially irregular or suspicious user and system behaviors. 13
For lean-forward (type A early adopters) organizations focused on prevention, consider deploying endpoint exploit prevention and application containment technologies. Application control/whitelisting vendors: Bit9 + Carbon Black, Intel Security, Kaspersky Lab, Lumension and Viewfinity Application-layer containment vendors: Blue Ridge Networks, Bromium, BufferZone, Invincea and MirageWorks Endpoint exploit prevention vendors: Malwarebytes, Microsoft, Palo Alto Networks and Trusteer (part of IBM) Network forensics vendors: Blue Coat; Emulex; Fluke Networks; IBM; NetAgent; Netresec; Niksun; RSA, The Security Division of EMC; Riverbed; and WildPackets NBA vendors: Arbor Networks, Intel Security, Lancope, Radware and Tenable Network Security Improve Your Automated Monitoring, Correlation and Analysis Implement user behavior analysis products that can extend your current SIEM and monitoring capabilities to user behavioral profiling in order to help detect abnormal behaviors of users. Ensure you have implemented off-device, centralized logging facilities for all your security controls to prevent potential tampering through a data breach. Form a security operations center or designate specific individuals to operate as a security operations center in order to properly monitor and respond to threats and incidents, as well as perform initial triage status for security events. Implement a SIEM solution to enable centralized log analysis, complex correlation and automated anomaly alerting. Review anomaly reports and alerts generated by your SIEM system to identify irregular behaviors in the environment. Invoke the incident response process when suspicious anomalies or alerts are received by the security operations center. SIEM vendors: AlienVault; HP; IBM; Intel Security; LogRhythm; RSA, The Security Division of EMC; and Splunk User behavior analysis vendors: 21CT, BAE Systems Applied Intelligence, Bay Dynamics, Caspida, Click Security, Exabeam, FICO, Fortscale, Gurucul, IBM, idetect, Intellinx, Lockheed Martin, Mobile System 7, Novetta, ObserveIT, Oracle, Raytheon, SAS, Securonix, SpectorSoft and Splunk Improve Your Incident Response Capabilities, and Consider Automation and Mitigation Responses on the Endpoint Outline an incident response procedure that defines the roles of appropriate business and IT contacts throughout the organization and other departments including human resources, public relations, legal and executive management needed to respond to security incidents. Retain either internal or external resources for executing an incident response plan; specifically target resources with digital forensics and malware analysis knowledge. Consider implementing a secure case management or incident response ticketing system separately from IT support systems so that security incidents will remain confidential 14
within the incident response process and workflows, as well as that secure collaboration can exist between involved parties during execution of the incident response procedure. Consider deploying Endpoint Detection and Response (EDR) technologies. These technologies specifically augment endpoints with additional telemetry gathering and threat detection capabilities that go beyond traditional endpoint protection platforms. Leverage endpoint forensics tools and EDR technologies or services favoring capabilities that specialize in incident response, including investigation assessment templates for identifying and analyzing suspicious common infection assessment capabilities (such as service startup locations, driver hooks, kernel driver analysis, running process exploration, memory snapshot and other various malware analysis technologies). When possible, consider automating your incident response investigation triage efforts with integration between forensic analysis tools and other security monitoring software to more rapidly respond to potential suspicious security events when they occur. Consider adding automatic responsive capabilities for threat detection events when using EDR solutions, such as kill process, delete file or clear memory, to avert APT data losses and disrupt an active kill chain. Consider workflow capabilities of EDR solutions to integrate response and change control with incident responder triage processes. Consider threat intelligence (aka indicator ) sharing through APIs between EDR solutions and network sandbox provider solutions to improve detection-based mitigation responses at the endpoint. Incident response forensic analysis vendors: AccessData, FireEye, Google and Guidance Software Endpoint detection and response providers: Bit9 + Carbon Black, CounterTack, Crowd- Strike, Cybereason, Digital Guardian, Fire- Eye, Guidance Software, Hexis Cyber Solutions, LightCyber, Tanium and Triumfant Lean-Forward Security Programs (Early Adopters) Should Consider Threat Deception Technologies Consider utilizing deceptions across endpoint, application and network infrastructure to enhance your advanced-threat and insiderthreat detection goals. Consider solutions that divert detected threats or suspicious actors to deception environments (formerly called honeypots and quarantine networks ) that can leverage deception techniques across the endpoint, network and application layers in a deceptive isolation environment (that is, deception quarantine network). Choose network infrastructure that is capable of sharing contextual information, such as threat intelligence, asset and application configuration information, and security application threat detection status. Prefer infrastructure that is capable of responding to this shared information with deception techniques to thwart threat actors, automated network attacks and malicious software. Consider technologies that specifically use deceptions to detect, disrupt, delay, isolate and degrade malware and threat actor activities. 15
Consider deception capabilities that can be used to increase telemetry, decrease false positives and increase efficacy with forensic examination and monitoring abilities to reduce malware and threat actor false positives. Network protocol deception vendors: Juniper Networks On-endpoint deception vendors: Attivo Networks, Cymmetria, illusive networks, Javelin Networks and TopSpin Distributed decoy vendors: Attivo Networks, Cymmetria, GuardiCore, Javelin Networks, Shadow Networks and TrapX Security Evidence 1 FireEye Advanced Threat Report 2013, FireEye 2 1-15 April 2015 Cyber Attacks Timeline, Hackmageddon.com 3 Worldwide Cert Organizations 4 Spear-Phishing Email: Most Favored APT Attack Bait, Trend Micro Note 1 External Information and Security-Related Nonprofit Organizations The following are external information and security-related nonprofit organizations: International Information System Security Certification Consortium (ISC) 2 Information Systems Security Association (ISSA) ISACA (previously known as Information Systems Audit and Control Association) Source: Gartner Research, G00276844, Lawrence Pingree, Neil MacDonald, Peter Firstbrook, 04 May 2015 16
About Proofpoint, Inc. Proofpoint Inc. (NASDAQ:PFPT) is a leading next-generation security and compliance company that provides cloud-based solutions for comprehensive threat protection, incident response, secure communications, social media security, compliance, archiving and governance. Organizations around the world depend on Proofpoint s expertise, patented technologies and on-demand delivery system. Proofpoint protects against phishing, malware and spam, while safeguarding privacy, encrypting sensitive information, and archiving and governing messages and critical enterprise information. More information is available at www.proofpoint.com. Protecting the Way People Work: for Detecting and Mitigating Advanced Persistent Threats is published by Proofpoint Editorial content supplied by Proofpoint is independent of Gartner analysis. All Gartner research is used with Gartner s permission, and was originally published as part of Gartner s syndicated research service available to all entitled Gartner clients. 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner s endorsement of Proofpoint s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ ombudsman/omb_guide2.jsp. 17