Recently I reread an older Gartner article titled ‘How To Deploy the Most Effective Advanced Persistent Threat Solutions’. While it was written back in September, 2013, I still find it relevant to many of the challenges organizations face today. The article was written to help security leaders and teams select and deploy defenses against advanced threats, by leveraging a variety of technologies and methods. Gartner reviews the relevant products and techniques in the Five Styles of Advanced Threat Defense Framework. This framework attempts to categorize solutions by where and how they look for threats and a time frame for when the solution is most effective.
Figure 1: Gartner Five Styles of Advanced Threat Defense (September 24th, 2013)
This framework does a nice job illustrating that complex threats execute over time and that multiple detection styles are required for full coverage. Organizations also require technologies that look for attacks in real-time, but also technologies that look for threats that were previously missed or provide post-compromise forensic data. We as an industry have been too focused on prevention as the major form of security, but we need to also invest in solutions that can help after the breach has occurred. The Gartner framework does an excellent job of acknowledging this shift in thinking.
The challenge with this framework is that it seems to imply that customers must buy many different technologies for full coverage. Based on anecdotal evidence, large enterprise customers have 70+ security products from many vendors. This was a result of many companies leveraging a defense in depth architecture. While it would be silly to claim that a single solution could be a panacea for all advanced threats, we believe there is a better approach to providing complete coverage without massive investments in multiple vendors. One of the advantages of the ProtectWise Platform is that it leverages a hierarchy of expert systems to provide multiple types of threat detection in near-real-time as well as post-compromise. By leveraging a full packet, meta-data and netflow forensic haystack, with additional data through integrations, ProtectWise can uniquely provide multiple styles of detection in an integrated platform that is easily delivered as a cloud utility.
Style 1: Network Traffic Analysis
ProtectWise continuously analyzes network traffic (Full Packet, NetFlow and MetaData) against a broad range of threat detection technologies including:
- Threat Intelligence (IP, URL, Domain, File)
- Signatures (IDS Engine)
- DNS and Certificate Analysis
- Machine Learning
- Static File Analysis
- Anomalous Network Traffic Classifiers
Many technologies that provide Network Traffic Analysis generate a lot of alarms, upwards of 10,000+ alarms a day in many customer environments. This alarm fatigue causes organizations to often miss threats that were actually detected because they frequently get "lost in the noise" of daily alarm triage. ProtectWise's approach is to look at each of these alarms as observations or indicators, not security events. The ProtectWise Wisdom Engine correlate them into consolidated security events that are high confidence combinations of many different factors continuously analyzed in both real time and retrospectively.
Style 2: Network Forensics
This is a core value of the ProtectWise Platform. The ProtectWise software sensors capture full network packet data, metadata and netflow information from anywhere on the network -including the egress, core, DMZ or even within your cloud environments. This data is optimized, encrypted and streamed to the cloud where it can be stored for a year or longer. Many existing tools that provide Network Forensics have fixed or limited storage (due costs), so ProtectWise also provides incident response workflows to investigate and resolve incidents as fast as possible. ProtectWise also offers rapid search and visualizations of netflow and metadata for on-demand investigations and threat hunting.
Style 3: Payload Analysis
Payload analysis is performed in real-time leveraging threat signatures, machine learning and file extraction with static file analysis. ProtectWise stores and analyzes the full payload for a year or longer, and can continuously analyze traffic, while also providing a full forensic repository for post-breach investigation.
Style 4 & 5: Endpoint Behavior Analysis and Forensics
While ProtectWise does not directly run on the endpoint, we provide integration points si(API) so users can leverage these technologies as part of the ProtectWise platform during the forensic analysis or incident response process. Integrations provide endpoint visibility with on-demand log and event context, events feeding into the ProtectWise threat engine, and even remediation options leveraging the endpoint policy engines of our integration partners.
A new method of detection
One of the major challenges with this framework, is that there is a huge gap for post-compromise payload analysis. I understand why Gartner left this square blank - back in 2013 no products existed that could provide this style of detection. But in 2016, we believe this framework can be updated to provide a 6th style of detection called Retrospective Analysis.
Style 6: Retrospective Analysis
ProtectWise provides continuous retrospective analysis by replaying traffic automatically against new threat intelligence, or signatures looking for previously unknown threats. We often hear that many advanced attacks go undetected for 200+ days. While we want to detect things on day zero or one, this is not realistic. This full packet analysis enables ProtectWise to provide payload and file analysis against the memory of the network to find things that were previously missed and to drastically reduce the 200+ day dwell time, while also providing the data necessary to understand exactly what came in and what left the organization, which cannot be done by looking only at logs.
Figure 2: Six Styles of Advanced Threat Defense (Original by Gartner, Updated by ProtectWise)
We believe Protectwise is unique in the industry in that it can apply many different types of technologies and act as the incident response workbench for investigating and finding advanced threats in real-time. By leveraging ProtectWise as a platform to provide detection, visibility and incident response we believe customers can gain complete coverage without investing in a large number of disparate products that add to the noise and the time it takes to investigate and respond to an incident found in real-time or one that has gone undetected and now must be investigated. I would encourage Gartner to look at this framework and update it based on a new generation of technologies that can help detect and respond to advanced threats.
Next blog post