Posted by John Burnham in Critical Infrastructure, Q1 Labs, Security Intelligence, SIEM

Recently, Gartner published a new report titled “Strategies for Dealing With Advanced Targeted Threats”.  The message in this report is how to strategically deal with ATTs (Advanced Targeted Threats), which is Gartner’s expanded definition of APTs (Advanced Persistent Threats) in order to emphasize the focused nature of these high-magnitude attacks.  A lot of emphasis is placed on the need for network activity monitoring, to the extent of even calling out “flows”, as we also saw in this year’s SIEM Magic Quadrant report.

Below is a breakdown of the report, beginning with The Problem definition:

• The term “advanced persistent threat” (APT) has been overhyped in the press and is distracting organizations from a very real problem. Targeted attacks are penetrating standard levels of security controls and causing significant business damage to enterprises that do not evolve their security controls. Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious. Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats, and not focus on what country the attacks are coming from.

A major point that supports SIEM in general, and flows/behavior anomaly detection in particular, is in the analyst’s portrayal of “lean-forward” planning. This approach is especially needed in Critical Infrastructure, as the recent Ponemon survey pointed out the discrepancy in spending between physical and IT security, which is in fact evolving due to the potential for APT/ATTs.

Here are some more highlights from the Gartner report:

• Advanced attacks (often called “advanced persistent threats”) are using techniques that demand an evolution of existing defenses, and an introduction of new security controls and processes. Enterprises need to focus on the effectiveness and efficiency of their infrastructure protection approaches.
• Simply adding more layers of defense does not necessarily increase security against targeted threats — security controls need to evolve.
• Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious.
• Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats, and not focus on what country the attacks are coming from.
• All the innovative techniques used in these attacks are detectable. One key to preventing their success is to focus on avoiding, minimizing or shielding the vulnerabilities they are exploiting.
• security information and event management (SIEM) products or other approaches that correlate information across defense “silos” should be used to gain better exception monitoring capabilities
  • A lean-forward, continuous monitoring process includes the following steps:

1. Establish a baseline.

2. Update threat information.

3. Monitor and inspect network traffic and host logs.

4. Investigate possible threat activity.

5. Activate an incident response process, or update defenses or work-arounds.

6. Go to Step 1.

• Some SIEM and next-generation firewall products have added some of the flow analysis features of network behavior analysis.
• You must be prepared to invest in and staff lean-forward processes

Bottom line: Advanced Targeted Threats are front and center in our minds, and this report emphasizes important elements of a responsive strategy for dealing with these threats.  It is a must read for all information security professionals concerned with staying ahead of these threats, especially in Critical Infrastructure.

Read more about how Q1 Labs’ Security Intelligence has been protecting Critical Infrastructure customers in our recent release, “A Year on from Stuxnet, More than 100 Critical Infrastructure Customers Rely on Q1 Labs for Security Intelligence.”