A non-scientific taxonomy for Advanced Threat Protection technologies
As a Chief Information Security Officer (CISO), Chief Security Officer (CSO), Chief Security Architect (CSA), or a Security Manager responsible for selecting and implementing the appropriate security technologies for protecting your organization most valuable information, you will probably be overwhelmed by vendors claiming they have cutting-edge unique technology; convincing you, if not frightening you, that you are missing-out when not implementing their security product.
Advanced Persistent Threat (APT) is probably a subject where you’re currently dealing with this challenge. For this threat, new security products follow each other in a rapid fashion and no standard reference taxonomy exists. In fact, there is no industry agreement on the naming for this technology space. You will encounter names such as Breach Detection System (BDS), Advanced Threat Detection (ATD), Next-Gen Anti-virus (NG-AV), and User and Entity Behavior Analytics (UEBA). All of them address the APT subject, but how do they differ and which security product competes in which space?
In this article, I will use the umbrella term Advanced Threat Protection (ATP) for indicating these kind of security technologies. Protection, for me, is an overarching concept that covers both detection as well as prevention; especially because it is only a matter of time until these security technologies evolve from detection to prevention, and some already are. I am going to help you address this challenge by:
Providing you with a vendor-neutral ATP technology capability description in which you can easily classify Advanced Threat Protection products; in order to help you distinguish complementary from supplementary ATP products.
Briefly exploring and classifying some of the most prominent ATP products in use currently.
The threat ATP security products attempt to mitigate are so-called APT’s, which are basically targeted attacks against a specific organization. These targeted attacks exploit unknown vulnerabilities as opposed to known vulnerabilities and use techniques such as malware polymorphism to circumvent conventional security technology which mainly focuses on known vulnerabilities and known malware. The following ATP capabilities are differentiated and discussed throughout this article:
Sandboxing capability: NSS Labs refers to these kinds of security technologies as Breach Detection System.
Web Sandboxing: Analyzing suspicious files – which enter the organization network via the web (http(s)) – in a secure isolated environment based on object execution and automated analysis of reverse-engineered static code.
Mail Sandboxing: Analyzing suspicious files – which enter the organization network via e-mail – in a secure isolated environment based on object execution and automated analysis of reverse-engineered static code.
Perimeter Independent Sandboxing: Applying sandboxing to files on systems, independent of their network perimeter entry point. Basically, this works in the following manner – files with an unknown integrity, or unknown reputation as you will, are considered suspicious and delivered to the sandbox for analysis. An example of such a product is Intel McAfee TIE in combination with McAfee ATD.
Network Security Monitoring capability: Security technologies in this space are often referred to as Advanced Threat Detection.
Technical context-aware monitoring of network activities, for example, “does this SSH or HTTPS network session behave conform protocol specification?”.
Next-Gen Anti-malware capability: Next-Gen Anti-malware, often referred to as Next-Gen Anti-virus, is the naming for anti-malware capabilities that identify malware based on artificial intelligence and machine learning rather than on definitions/ signatures.
Host-based (endpoint) detection, (automated) response, and some products also provide prevention functionality for malware identification. For example, “does this ‘calc.exe’ system process run with the right privileges?”, “is this object malicious based on machine learning analysis?”.
User and Entity Behavior Analytics (UEBA) capability: Gartner refers to these kinds of security technologies as User and Entity Behavior Analytics.
Functional context-aware analysis of user and entity behavior, for example, “is using application XYZ common behavior for this user?” or “is endpoint activity on a given time common behavior for this entity?”
The sandboxing related ATP capabilities focus on the analysis of objects. Network security monitoring focuses on the monitoring of network activities, by applying artificial intelligence and machine learning techniques. Next-Gen Anti-malware focuses on malicious system activity and malicious objects also by leveraging artificial intelligence and machine learning techniques. UEBA capabilities focus on user and entity behavior, by using profiling and anomaly detection based on machine learning.
An easy comparison between security products competing in the rather new Advanced Threat Protection (ATP) technology space, beyond understanding the essence of the technology itself, is additionally complicated because each vendor product is biased by marketing language.
The purpose of the above vendor-neutral ATP capability description is to help you understand the fundamentals of the underlying types of technology of ATP security products, which should enable you to distinct complementary from supplementary ATP security products. Some of the most prominent ATP security products have also been classified in their respective ATP capability and briefly explained, which should help you see through the marketing bias.
FireEye was an innovator when it came to sandboxing, but meanwhile sandboxing has evolved into a commodity technology and is offered by most best-of-suite security vendors. A network security monitoring capability can be delivered by DarkTrace on the network. Cylance, RSA ECAT, and Carbon Black probably sound familiar as Next-Gen Anti-malware capability for the endpoint. In case of a loosely segmented network, including, unrestricted client-server access for trusted and un-trusted devices, a network security monitoring capability is necessary. In a strictly segmented network, where client-server access is restricted to trusted devices, and un-trusted devices are provided controlled access – via, for example, Virtual Desktop Infrastructure (VDI) or Server-based Computing (SBC) capabilities – a Next-Gen Anti-malware capability is probably preferable. Besides evaluating a Next-Gen Anti-malware capability in the context of Advanced Threat Protection it can be considered, though with due-care, as replacement for a conventional anti-malware capability. But the latter really depends on the overall security architecture/ posture. As an UEBA capability, Cynet, Splunk UEBA, and Microsoft Advanced Threat Analytics (ATA) might ring a bell. The underlying architecture of Cynet is a network-based scanning technology, which requires privileged access to profile user and entity behavior. Splunk UEBA relies heavily on Splunk Enterprise Security (SIEM) for providing automated analytics. Microsoft ATA uses port mirroring for deep packet inspection (DPI) on Active Directory traffic, and SIEM data for analytics.
The right ATP technology choices depend on your current and target IT architecture. It is also important not to be tempted to base your decision for a specific security product owing to a small unique ‘sales/marketing’ feature. This is especially true, because often you may not have the specialized knowledge for leveraging the same to the fullest or because it is impossible to implement due to the fact that (organizational or technical) pre-conditions are unrealistic to be met, for example, due to a scattered outsourced IT supply chain. The above-mentioned vendors/ products are classified under the capability for which they are primarily known, not taking into account possible product development efforts that expand their capability horizon.
Copyright 2010 Respective Author at Infosec Island