The five styles of advanced threat defense

Attackers want to compromise networks and computers to steal sensitive information from the enterprise by using sophisticated malware. Research firm Gartner says IT can protect the enterprise against targeted attacks in five basic ways, and recommends combining at least two of them together for best effect.
Gartner’s report, “Five Styles of Advanced Threat Defense” defines technical “styles” that are ways to tackle the threat of stealthy attacks, sometimes called advanced persistent threats, beyond simply using traditional security, such as anti-virus or firewalls.
The report is based on an analysis of the security products in the market designed to help identify stealthy attacks or collect forensics on compromised systems. Gartner categorizes these into five technical approaches it refers to as specific “styles” in a framework of security.
According to Gartner, it’s central to first think about the timeframe of an attack aimed at stealing critical data. There are real-time (or near-time defenses) that can be put in place. But other tools should be considered “postcompromise” when an attack has unfortunately been successful and there’s a need for forensics. In its report, Gartner notes some security vendors will have products that do some of both.
In general there’s a need to analyze inbound and outbound network traffic to detect compromised endpoints, and to do this, agent software is not required on the endpoint. There’s also a need to look at the payload of the attacker. A sandbox approach, by using a safely isolated simulation environment, can observe how payloads behave, with the goal of flagging them as dangerous. Gartner notes that there’s a need to determine how endpoints have been impacted by malware — but that typically carries significant operational costs to manage and deploy on the endpoint, Gartner says.
In short, Gartner’s “Five Styles” of defense are:
Style 1 – Use Network Traffic Analysis techniques to establish baselines of normal traffic patterns, (for example anomalous DNS traffic could indicate botnet traffic) and highlight anomalous patterns that represent a compromised environment. This approach offers real-time detection and can include both non-signature and signature-based techniques, and endpoint agents aren’t required. But the challenge is it might require “careful tuning and knowledgeable staff to avoid false positives,” Gartner points out. If the product is an out-of-band tool, it will have a limited ability to block attacks and may not monitor traffic from off-network mobile endpoints. A sampling of vendors with products in this category would be Arbor Networks, Damballa, Fidelis, Lancope and Sourcefire’s AMP, according to Gartner.(Sourcefire was recently acquired by Cisco).
Style 2 – Network Forensics typically provide “full-packet capture and storage of network traffic” as well as analytics and reporting tools for incident response of advanced threats. The advantages they bring include reducing incident response time and they can reconstruct and replay flows and events over days or weeks, along with sometimes offering detailed reports to meet regulatory requirements. The downside? These tools can be complex and costs “rise with the amount of data and the retention time.” Sometimes generating reports needs to be done off-hours due to how they analyze large amounts of data. Among the vendors in Style 2 are said to be Blue Coat (Solera Networks) and RSA (NetWitness).Style 3 – Payload Analysis can use a sandbox technique (either on premises or in the cloud) to detect targeted attacks on a near-real-time basis, but they typically don’t “enable a postcompromise ability to track endpoint behavior over a period of days, weeks and months,” Gartner notes. (To do that, look to Gartner’s Style 5 (Endpoint Forensics).  Gartner adds Gartner clients currently often voice the opinion that Payload Analysis products have varying ability to accurately detect malware. The advantage they have, though, is that they can detect malware that successfully bypasses signature-based products. Some have optional blocking capability. The challenges in using Payload Analysis, though, is that behavioral analysis can take several seconds or minutes to complete, allowing the malware to pass through into the network to potentially compromise endpoints., especially when the malware uses evasion techniques such as sleep timers in which it executes on a delayed response. Some vendors are trying to thwart this, though, Gartner adds. Other drawbacks to this approach are that Style 3 doesn’t “provide validation that the malware executed on endpoints.”
And just because the malware behaved a certain way in a simulated environment, doesn’t mean it will act the same way when it hits real targets. Some Payload Analysis products only support a limited range of payloads, such as executables only, according to Gartner. Most support Microsoft Windows, a few cloud approaches support Android, but Gartner sees none supporting Apple Mac OS X.
Examples of Style 3 would be AhlLab, Check Point with its Threat Emulation Software Blade, FireEye, Lastline, McAfee with its ValidEdge acquisition, Palo Alto Networks with Wildfire, ThreatGrid and Trend Micro with Deep Discovery, says Gartner.
Style 4 – Endpoint Behavior Analysis is based on the idea of “application containment to protect endpoints by isolating applications and files in virtual containers. Other innovations in this style include system configuration, memory and process monitoring to block attacks, and techniques to assist with real-time incident response.” This Style 4 approach requires an agent on every endpoint, Gartner says. It can “intercept kernel system calls and block malicious activity such as thread injection attacks,” and “by isolating Web browsing sessions, protect users from malicious websites, including drive-by download sites and �?watering holes.'”
The strength of this approach is blocking zero-day attacks, provides some basis forensics, and protecting systems whether they are on or off the network, but the challenge is that deploying and managing the agent software is operationally intensive and particularly hard in bring-your-own-device (BYOD) environments. Examples of vendors here include Blue Ridge Networks, Bromium, Invincea, Sandoxie and Trustware. Vendors that support memory monitoring include Cyvera, ManTech/HBGary (Digital DNA) and RSA’s Ecat.Style 5 – The last style in the Gartner style catalog is Endpoint Forensics, which involves tools for incident response teams. These endpoint agents collect data from hosts they monitor. They can help automate incident response and monitor hosts on and off corporate networks.  The challenge in using them, though, is they can be operationally intensive to deploy and manage, and support for non-Windows endpoints is quite limited. Examples of Style 5 vendors with tools include Bit9, Carbon Black, Guidance Software with its EnCase Analytics, Mandiant and ManTech/HBGary’s Responder Pro.

In segmenting out its “Five Styles” of defense against advanced threats, Gartner advises enterprises to pair at least two “styles” together, such as using both Style 3 for Payload Analysis with Style 5 for Endpoint Forensics.

“Some Payload Analysis vendors have integrated their solutions with Endpoint Forensics vendors, which helps reduce incident response time. Network Traffic Analysis (Style 1) and Endpoint Forensics (Style 5) will provide similar benefits, but there have been fewer partnerships between vendors in these styles.” Gartner analyst Lawrence Orans says vendor partnerships are a factor in this decision-making process. Also, some Styles are still quite Windows-centric, whereas Network Analysis is not. “I do see people combining two or more styles together, and there needs to be more of it,” he adds.

The Gartner report contains a number of other suggestions on logical combinations of “Styles” as well. Gartner also notes that some vendors, especially the larger ones, are already delivering products that integrate two or more styles. However, the possible downside of enterprises choosing the single vendor approach, Gartner adds, is that “they sacrifice best-of-breed functionality from pure-play vendors that focus on only one style.”

Gartner’s observations about its Five Styles framework to combat advanced persistent threats to steal enterprise data doesn’t mean abandoning more traditional security such as anti-virus, Orans says. The Five Styles framework is specifically for those enterprise security managers willing to “lean forward” into trying focused approaches aimed at keeping dangerous intruders out.