-
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA
02140 USA
Tel: +1 617.613.6000 | Fax: +1 617.613.5000 |
www.forrester.com
Targeted-Attack Hierarchy Of Needs, Part 2by Rick Holland, July
24, 2014 | Updated: July 25, 2014
For: Security & Risk Professionals
Key TaKeaways
Prevention Isnt DeadThere are innovative prevention
technologies, but for these controls to be relevant, they must
demonstrate operational effectiveness and scalability. Solutions
that are appealing on datasheets must also work for modern
enterprise. If done well, prevention can relieve some of the daily
operational burden and stress on S&R professionals.
No single Technology will Meet your Breach Detection
NeedsInvesting in malware sandboxes alone isnt sufficient to defend
the modern enterprise. Youre going to need a combination of malware
analysis, network analysis and visibility, endpoint visibility and
control, and security analytics.
Invest In Vendors That Provide Multiple PillarsPrioritize the
vendors who can supply you with multiple technology pillars. Make
sure that these vendors also offer a common user experience, and as
many integrations between their technologies as possible. Vendors
that can enable the orchestration of your defense should be at the
top of your list.
-
2014, Forrester Research, Inc. All rights reserved. Unauthorized
reproduction is strictly prohibited. Information is based on best
available resources. Opinions reflect judgment at the time and are
subject to change. Forrester, Technographics, Forrester Wave,
RoleView, TechRadar, and Total Economic Impact are trademarks of
Forrester Research, Inc. All other trademarks are the property of
their respective companies. To purchase reprints of this document,
please email [email protected]. For additional
information, go to www.forrester.com.
For Security & riSk ProFeSSionalS
why ReaD ThIs RePoRT
In part 1 of our research series, we detailed the foundational
requirements for building the necessary resiliency to targeted
cyberattacks. With the foundational requirements in place, security
and risk (S&R) leaders are ready to turn their focus to the
technologies for prevention as well as detection and response.
S&R leaders frequently struggle with deploying the right mix of
technologies to detect and respond to attacks. In this report, we
discuss the four technologies that should form the pillars of your
breach detection capabilities: malware analysis, network analysis
and visibility, endpoint visibility and control, and security
analytics. For each technology, we provide you with key evaluation
criteria, considerations, and both commercial and open source
solutions to help you select the right solution. These
technologies, in the hands of skilled staff, are essential for
building resiliency into your cybersecurity program.
table of contents
Forresters Targeted-attack hierarchy of Needs Continues
need no. 5: Prevention
need no. 6: Detection and response
you Must Build each Tech Pillar of The Breach Detection
stack
Pillar no. 1: Malware analysis
Pillar no. 2: network analysis and Visibility
Pillar no. 3: endpoint Visibility and control
Pillar no. 4: Security analytics
Balance The Pillars Based on your Needs
WHat it MeanS
Detection and Response Require an Integrated Technology
stack
supplemental Material
notes & resources
Forrester used a combination of primary and secondary research
in the writing of this report.
related research Documents
Prepare For the Post-aV era Part 1: Five alternatives to
endpoint antivirusJune 9, 2014
introducing Forresters targeted-attack Hierarchy of needs, Part
1 of 2May 15, 2014
Five Steps to Build an effective threat intelligence
capabilityJanuary 15, 2013
Targeted-attack hierarchy of Needs, Part 2Multiple technologies
are required For Breach Detectionby rick Hollandwith Stephanie
Balaouras, katherine Williamson, and andrew Hewitt
2
4
16
14
16
July 24, 2014 uPDateD: July 25, 2014
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 2
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
FoRResTeRs TaRgeTeD-aTTaCK hIeRaRChy oF NeeDs CoNTINues
Its imperative that S&R leaders have a thoughtful and
deliberate plan to fend off targeted cyberattacks. In part 1 of our
research series, we focused on the fundamental requirements that
S&R leaders must build into their security strategy: need no.
1: an actual security strategy; need no. 2: a dedication to
recruiting and retaining staff; need no. 3: a focus on the
fundamentals; and need no. 4: an integrated portfolio that enables
orchestration (see Figure 1). Without fulfilling these fundamental
needs, security organizations will struggle with even pedestrian
adversaries and certainly fail against more skilled adversaries. In
this part 2 of our series, we discuss need no. 5: prevention, as
well as the technologies associated with need no. 6: detection and
response.
Figure 1 The Targeted-Attack Hierarchy Of Needs
Source: Forrester Research, Inc.116182
An integrated portfolio thatenables orchestration
A focus on the fundamentals
A dedication to recruiting and retaining staff
An actual security strategy
Prevention
Detectionand
response
Need No. 5: Prevention
Prevention is dead, long live prevention. One of the recent
trends in information security is to claim that prevention is dead.
You should be particularly suspicious of vendors that only deal in
detection that make this claim. Investment will shift to detection,
but prevention isnt going away, and the reports of its death have
been greatly exaggerated. When thinking about prevention,
remember:
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 3
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
The Pareto principle applies. Not all attacks are targeted, and
not all targeted attacks are from state actors or other
sophisticated cyberadversaries. If you can use prevention to
eliminate 80% of the attacks against your organization, you can
focus your limited resources on detecting and responding to the
attackers that have the motivation and capability to do the
greatest harm. You dont want to be focusing on nuisance threats
while skilled attackers are exfiltrating your most precious data.1
At a minimum, prevention eliminates noise.
Prevention can be innovative. Prevention can do more than just
eliminate noise. Dont think of prevention as just antivirus (AV)
blacklisting and IDS/IPS signatures; prevention can be much more
than that. During the past 18 months, we have seen the emergence of
innovative solutions at the endpoint, including: Bromium, Invincea,
and IBM Trusteer.2 RSA Conference Innovation Sandbox finalist,
Cylance, as well as Cyvera (recently acquired by Palo Alto
Networks) are other examples of innovative endpoint security
controls.3 The Microsoft Enhanced Mitigation Experience Toolkit
also provides this type of capability. Its important to note that
even solutions that are designed to prevent zero day attacks can be
circumvented. In early July, researchers from Offensive Security
were able to disable all of EMETs protection.4 If you can prevent
something malicious from occurring in the first place, there is no
need for response.
Prevention must not negatively affect the user experience. You
can have the most effective security control, but if it is so
intrusive that employees cant work, it wont be in production for
very long.5 This applies to endpoint security as well; the poor
user experience from training host intrusion prevention system
(HIPS) is a prime example. These new endpoint solutions must
demonstrate that they can be effective and transparent to users.6
Many organizations, concerned about blocking legitimate actions,
have adopted a lighter touch on the endpoint via endpoint
visibility and control (EVC) solutions.
Prevention must demonstrate operational effectiveness and
scalability. The user experience isnt the only perspective that
S&R pros need to consider; the administrators experience
operationalizing the solution is also important. Dashboards and an
intuitive user interface enhance operational effectiveness.
Scalability is another important consideration: Deploying a
solution to 100 endpoints is one thing, deploying a solution to
100,000 endpoints is an entirely different matter. Tanium, a
solution with endpoint visibility capabilities, just received $90
million in funding in part because of its ability to deploy at
scale for very large enterprises.7
Prevention will always be a part of response. At a certain stage
in detection, you will move to response. Blocking adversary command
and control is one example of prevention. Prevention also occurs in
the containment phase of response. From a network perspective, you
might use network access control to kill the switch port connected
to the infected host. You might use endpoint visibility and control
to surgically kill a malicious process. You could also integrate
with Active Directory to prevent a compromised account from
accessing the network. The real questions regarding prevention are
how will you integrate it into your portfolio and how can you use
it as a force multiplier for your protection.
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 4
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Need No. 6: Detection and Response
Although prevention isnt dead, it can fail. Do you think a
sophisticated adversary like the NSA or any other nation-state
actor is going to cease targeting you once they discover you have
the latest and greatest preventive controls? Absolutely not: A
determined and well-resourced adversary will find a way to render
these controls ineffective. Given the immaturity of most
organizations, attackers dont even have to be that clever to
accomplish their goals. Hope for prevention; plan on detection and
response. When prevention fails, detection and response are your
only options. Having capable incident response is critical.
Forrester identified seven habits that effective incident response
teams must possess.8 IR programs that adopt these principles will
be better prepared to adapt to the threat landscape and will be
able to recover from security incidents more effectively. From a
technology perspective, there are four primary functions, or
pillars, that are necessary for breach detection: 1) malware
analysis; 2) network analysis and visibility (NAV); 3) endpoint
visibility and control (EVC); and 4) security analytics (SA).
Threat intelligence will play an important role in detection and
response.9 Vendors have bandied about and overused the term
actionable threat intelligence so much that it has become a
buzzword without meaning. This is unfortunate because its possible
to turn multiple sources of intelligence into action, but it
requires dedicated staff committed to following a continuous cycle
of collecting, analyzing, and then disseminating intelligence.
Forrester defines actionable intelligence as being accurate,
aligned with intelligence requirements, integrated, predictive,
relevant, tailored, and timely.10 You should leverage actionable
threat intelligence within your technology stack to help you: 1)
identify potential threats on the horizon targeting your industry
or specific organization; 2) prioritize the remediation of
vulnerabilities and architectural adjustments in your environment;
and 3) help to identify the attacks that are already in progress.
Its indispensable to both prevention and breach detection and
response.
you MusT BuIlD eaCh TeCh PIllaR oF The BReaCh DeTeCTIoN
sTaCK
There is no single technology that will detect the intrusions
and breaches within your organization; you need solutions that will
help you build all four pillars of your breach detection stack (see
Figure 2). You need to instrument your entire security organization
for breach detection. This includes the people, process, and
oversight required to make technology deployments successful.
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 5
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 2 Technology Pillars Of Breach Detection
Source: Forrester Research, Inc.116182
Malware analysis
Endpoint visibilityand control
Network analysis andvisibility
Security analytics
Threatintelligence
Pillars of detection
Pillar No. 1: Malware analysis
FireEye leveraged automated malware analysis to address threats
that the traditional security vendors were failing to stop. FireEye
took automated malware analysis mainstream; today, almost all
security vendors have some sort of automated malware analysis
capability. Malware analysis is frequently an organizations first
foray into attempting to address the threat landscape. Generally
speaking, malware analysis consists of dynamic and static
analysis:
Dynamic analysis executes and observes malware. Virtual
sandboxes are a popular method for performing dynamic analysis.
Advanced dynamic analysis introduces a debugger to observe the
internal state of an executable. These automated malware analysis
solutions inspect code and make a determination as to whether it is
malicious in nature.
Dynamic malware analysis can be effective at detecting malicious
code; however, adversaries are well aware of this technology within
their targets. This has led to a constant cat-and-mouse game in
which adversaries try to evade analysis and vendors try to enhance
their solutions with anti-evasion techniques. FireEye has written
several blog postings illustrating the evolution of sandbox
evasion. Most recently, they wrote about evasion techniques that
require human interaction.11 Anti-evasion techniques are just some
of the criteria that you need to consider when evaluating automated
malware analysis capabilities (see Figure 3).
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 6
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Static analysis analyzes the code or structure of malware to
understand how it functions. Unlike dynamic analysis, static
analysis does not run the malware itself at the time of analysis.
Malware authors make static analysis more difficult by obfuscating
the execution of malware and by using packers to compress
executables. More advanced static analysis involves reverse
engineering the malware. Malware analysis solutions often include
some very light static analysis to help detect malcode that might
not execute in a virtual environment.
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 7
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 3 Automated Malware Analysis Considerations, Key
Evaluation Criteria, And Solutions
Source: Forrester Research, Inc.116182
Automated malware analysis
Considerations A combination of dynamic and static analysis can
detect malware that traditionalsignature-based controls miss.
Sophisticated adversaries will circumvent dynamic malware
analysis. Evasion detectionis important.
Many organizations are overwhelmed by malware alerts.
Alert-driven security is areality.
Scalability is a challenge for on-premises malware analysis
deployments when anorganization is distributed with many
ingress/egress points.
Malware analysis solution must observe malicious code; it isnt
effective against threatvectors where initial infection occurs in
extended enterprise beyond perimeter securitycontrols (watering
hole attacks/SWC).
Malware analysis solution is unable to observe lateral movement
where malicious codeisnt involved.
For many vendors, malware analysis visibility is limited to web,
email, and SMBprotocols.
Organizations with operational security (OPSEC) concerns should
consideron-premises or private cloud deployments. The analysis of
malware that results insubsequent blocking could alert
attackers.
Key evaluationcriteria
Deployment options: on-premises, cloud, hybrid.
On-premises deployment options: passive, passive blocking,
inline blocking.
What malware analysis techniques are used (static, dynamic,
emulation, networkbehavior)?
What types of content is inspected (executables, DLLs, archives,
images, PDFs, Flash,ofce documents, JavaScript)?
What anti-evasion techniques are used to ensure malware executes
in the analysisenvironment?
What endpoint integrations exist? Integration with endpoint
controls provides endpointcontext. Was the endpoint already patched
for the vulnerability being exploited?Endpoints can also perform
containment/remediation.
Ability to perform dynamic analysis on customized virtual
machine images.
Virtual machine operating system support (Windows, OSX).
Visibility into encrypted trafc.
Android APK analysis.
Ability to consume and export third-party threat intelligence
(IODEF, OpenIOC,STIX/CybOX).
What NAV capabilities exist? Some of the vendor solutions not
only offer automatedmalware analysis, but also offer NAV
capabilities.
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 8
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 3 Automated Malware Analysis Considerations, Key
Evaluation Criteria, And Solutions (Cont.)
Source: Forrester Research, Inc.116182
Solutions:
Commercial Bluecoat Norman Sandbox, Cyphort, Fidelis XPS
Advanced Threat Defense, FireEye Threat Prevention Platform, Light
Cyber, Palo Alto Networks WildFire, Lastline, Seculert, ThreatGrid,
Trend Micro Deep Discovery
Open source Anubis, Cuckoo Sandbox, Minibis, Wepawet
Pillar No. 2: Network analysis and Visibility
One of the key components of a Zero Trust network is network
analysis and visibility (NAV).12 NAV is a diverse set of tools
designed to provide network-based situational awareness to S&R
pros. NAV tools perform many functions including: malicious
behavior detection, network discovery, flow analysis, meta-packet
capture, full packet capture, and network forensics.13
The convergence of some NAV and security information
management/security information and event management (SIM/SIEM)
capabilities is under way.14 LogRhythm is one of many SIM/SIEM
solutions that can consume a number of flow formats. RSA has
combined the network forensics capabilities of NetWitness with the
SIM capabilities of enVision into its RSA Security Analytics
solution. SIM/SIEM integration is just one of the criteria when
considering NAV solutions (see Figure 4).
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 9
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 4 NAV Considerations, Key Evaluation Criteria, And
Solutions
Source: Forrester Research, Inc.116182
Network analysis and visibility
Considerations Layer 7 visibility at the Internet perimeter(s)
should be one of your first priorities. Similarvisibility at data
center ingress/egress should follow.
Packet capture at the Internet perimeter(s) is ideal. Similar
capability at data centeringress/egress should follow. Packet
capture fidelity is important; you cannot afford todrop or miss
packets.
Flow data is probably already being used by infrastructure and
operations (I&O);leverage it for security purposes. Flow data
can be used for detection of attacker lateralmovement; it is more
scalable than packet capture for this use case.
NGFW/segmentation gateways provide NAV capabilities (detection
of port hopping,SSH/SSL use, and use of nonstandard port).
The more segmented the network, the more challenging NAV
implementations become.Instrumenting enterprise networks for NAV
takes time.
Do you trust the endpoint? NAV can validate what data the
endpoint is reporting(situations where endpoint is compromised with
a rootkit).
NAV lacks the rich host context that endpoint analysis and
control solutions provide.
Key evaluationcriteria
What are the deployment options (i.e., physical/virtual,
distributed)?
How much throughput can capturing devices handle (1Gbps, 10Gps,
40Gbps)?
What are the storage capabilities of the solution (direct
attached capacity/storagearea network capabilities)?
How is indexing performed (metadata creation, PCAP
association)?
What visualization capabilities exist to enhance analysis?
What behavioral analysis capabilities exist (malware command and
control, dataexfiltration)?
What encrypted traffic inspection capabilities exist?
What incident response/forensic analysis workflows exist?
How is searching performed? How long do searches take?
How does solution ingest threat intelligence? Ability to consume
and export third-partythreat intelligence (IODEF, OpenIOC,
STIX/CybOX). How can you hunt/search for threatindicators?
What applications are classified?
What endpoint integrations exist?
How is asset/individual risk used for triage (high-value targets
like domain controllers,C-suite staff)?
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 10
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 4 NAV Considerations, Key Evaluation Criteria, And
Solutions (Cont.)
Source: Forrester Research, Inc.116182
Solutions:
Commercial Arbor Networks Pravail Security Analytics, Blue Coat
Security Analytics (Solera Networks), Damballa Failsafe, FireEye
nPulse, Lancope StealthWatch, LightCyber Detect, Novetta Cyber
Analytics, RSA Security Analytics (Netwitness/enVision)
Open source Argus, Bro, Security Onion, Snorby, Snort OpenAppID,
System for Internet-LevelKnowledge (SiLK)
Pillar No. 3: endpoint Visibility and Control
Endpoint visibility and control (EVC) seeks to provide detailed
visibility into activity occurring on the endpoint. EVC solutions
can provide details on endpoint process executions,
application/file/registry modifications, network activity, active
memory, as well as kernel-driver activity. Some EVC solutions
provide visibility only, while others also provide the ability to
contain malicious endpoint behavior.15
There are endpoint offerings like Palo Alto Networks
Next-Generation Endpoint Protection, intended to prevent malicious
activity from occurring in the first place. This is ideal, but
working under the assumption that determined adversaries will find
a way to circumvent your controls, visibility is also important. In
2012, Bit9 was targeted so that the adversary could breach a Bit9
customer. The attackers couldnt circumvent Bit9s whitelisting
protection directly, so they compromised Bit9 to digitally signing
their malware to make it appear to be legitimate software.16 A
deeper level of visibility on the hosts running this signed malware
could have provided the company with valuable insight that might
have accelerated the detection of malicious activity. Deep
visibility is just one evaluation criteria to use when considering
EVC solutions (see Figure 5).
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 11
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 5 Endpoint Visibility And Control Considerations, Key
Evaluation Criteria, And Solutions
Source: Forrester Research, Inc.116182
Endpoint analysis and control
Considerations The extended enterprise makes endpoint security a
necessity. Organizations have novisibility when endpoints are
beyond the perimeter. For example, an endpointperspective is needed
to detect strategic web compromise/water hole attacks whenthe host
is remote.
Endpoint perspective is necessary to determine the impact of
malware. Did it actuallyexecute? Was the host already patched
against the exploit?
Endpoint control provides the ability to perform surgical
containment of maliciousprocesses.
Endpoint solutions must demonstrate that they can deploy at
scale in an operationallyeffective manner.
BYOC makes deployment challenging if not impossible.
Need to overcome yet-another-agent syndrome. The addition of a
new endpoint agentcan impact the resources available on a host
already having multiple endpoint agents.
If the endpoint is already compromised, you cannot trust what it
is reporting back.EVC must be deployed to a host in a known good
state.
Key evaluationcriteria
Does the solution operate in user space or kernel space?
What impact does EVC agent have on the host operating system
(memory, CPU, disk)?
Does the solution provide visibility and monitoring only? What
about containment?
What operating systems are supported (Windows, OSX)?
What workflow is used for enabling automated response (crawl,
walk, run)?
What threat intelligence standards are supported (OpenIOC,
STIX/TAXII/CybOX)?
What visualization capabilities exist to enhance analysis?
What incident response/forensic analysis workflows exist?
What network security/NAV integrations exist?
How does solution ingest threat intelligence? How can you
hunt/search for threatindicators?
What lateral movement detections exist? How does the solution
detect privilege escalation or the use of legitimate Windows tools
for malicious purposes?
What integrations exist for automated response (Active Directory
integrations foraccount lockout, switch port integrations for
disabling endpoint network access)?
How is asset/individual risk used for triage (high-value targets
like domain controllers,C-suite staff)?
Solutions:
Open source
Commercial Bit9, Carbon Black, Confer, CounterTack Sentinel,
CrowdStrike Falcon Host, Cybereason, FireEye HX, Guidance Software
Cyber Security, Hexis HawkEye G, Tanium, Triumfant, Verdasys
Digital Guardian
Immunity El Jefe, OSSEC
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 12
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Pillar No. 4: security analytics
Few will argue that the traditional approach to SIM/SIEM is
effective. Many claim to have intelligence-led security but
actually have alert-driven security. To be at all useful, SIM/SIEM
solutions require skilled analysts to operate and maintain them the
kind of staff few organizations have. In addition, clients
regularly complain that the lack of any kind of meaningful context
around alerts makes triage even more difficult.17 As a result:
Vendors are developing new security analytics (SA) solutions . .
. The convergence of the correlating and reporting functions of
SIM/SIEM, together with information feeds from data leak protection
solutions, NAV solutions, identity and access management solutions,
and even fraud solutions, will give S&R pros the kind of
context and situational awareness they need for action. The
challenge is that out-of-the-box SA solutions dont exist just yet.
Vendors of legacy SIM/SEIM solutions are expanding the collection
and analysis of new types of business and IT data to improve their
ability to offer information in context, but many organizations are
developing homegrown solutions using big data solutions like
Hadoop. Still other vendors are hoping to disrupt the market with
deep insights into particular domains like the endpoint. Both
Guidance Software and CrowdStrike have analytics capabilities on
the endpoint.18
. . . that can also automate remediation. Not only must SA
provide you with actionable data, it must have integrations and
automation to help you take action. SA should help us avoid
obstacles, and see the road ahead. Proofpoints recent acquisition
of incident response and orchestration specialist NetCitadel is
evidence that demand for SA solutions with automated response is
heating up.19 Automation is just one criterion to consider when
evaluating SA solutions (see Figure 6).
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 13
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 6 Security Analytics Considerations, Key Evaluation
Criteria, And Solutions
Source: Forrester Research, Inc.116182
Security analytics
Considerations The SA vendors that can offer a platform that
enables the orchestration of detectionand response through
integrations and automation will be an organizations mostvaluable
partner.
Early adopters of the big data solutions like Hadoop have had to
develop their ownsecurity analytics capabilities, but this is
starting to change as vendors bringprepackaged analytics online.
There are still no turnkey offerings.
Technology is core to SA, but just as with SIM/SIEM, people and
process ultimatelydetermine success. Like anything else, dont think
of SA as a silver bullet.
How much effort is required for you to implement and
operationalize SA? If you donthave the resources, not unlike
SIM/SIEM, MSSPs may be a more practical alternativefor SA.
As SA platforms consume more and more data to provide richer
context, you mustmake securing this data a priority. All your eggs
are in one basket; you areconcentrating your liability and you must
protect the data.
Infrastructure is moving to the cloud; if you thought doing SA
on-premises waschallenging, the cloud will only complicate this
more. Companies like Threat Stack andAlert Logic provide analytics
into elastic infrastructure.
The disillusionment with SIM/SIEM has led to the emergence of SA
capabilities withinindividual security controls. Crowdstrike
released Endpoint Activity Monitoring, whichembeds Splunk software
as a machine data platform for the search, alerting, reporting,and
analytics capabilities.
Key evaluationcriteria
What type of data can the SA solution consume (structured data,
unstructured data,application data, log data, flow data, meta
packet capture, full packet capture, eventdata, vulnerability data,
identity data, third-party intelligence, data from
elasticinfrastructure)?
How does the solution ingest threat intelligence (JSON, CSV,
XML)? What threatintelligence standards are supported (IODEF,
OpenIOC, STIX/TAXII/CybOX)?
What analytic capabilities does the SA solution possess
(statistical modeling,predictive analytics, behavioral
modeling)?
What internal context is used to prioritize alerting? How are
asset value, vulnerabilitiespresent, attack path modeling, and
identity incorporated into alert triage?
What external context is used to prioritize alerting? How are
threat intelligence andreal-world exploitation of vulnerabilities
incorporated into alert triage?
What incident response/forensic analysis workflows exist? How
can you hunt/searchfor threat indicators?
What lateral movement detections exist? How does the solution
detect privilege escalation or the use of legitimate Windows tools
for malicious purposes?
What analyst enrichments exist in the solution (GeoIP, passive
DNS, asset value,Whois lookups)?
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 14
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
Figure 6 Security Analytics Considerations, Key Evaluation
Criteria, And Solutions (Cont.)
Source: Forrester Research, Inc.116182
Security analytics
Key evaluationcriteria
What visualization capabilities exist to enhance analysis
(similar to the user experienceof Paterva Maltego or Tableau
Software)? Does graph analysis exist?
What pivoting capabilities exist? Can analyst pivot and drill
down into new data whilepreserving previous searches/queries?
Does the SA reporting include templates for
time-to-detection?
What integrations facilitate action? What detective and
preventive security controlintegrations exist? What APIs exist for
custom integrations?
Solutions:
Commercial Alert Logic, BAE Applied Intelligence Cyber Reveal,
Cloudera, FireEye Threat AnalyticsPlatform, IBM i2 Analysts
Notebook, Palantir, Splunk, Sumo Logic, traditional SIM/SIEMlike
LogRhythm, IBM Qradar, McAfee, HP ArcSight
Open source Apache Hadoop, OSSIM
BalaNCe The PIllaRs BaseD oN youR NeeDs
One of the most common questions clients ask Forrester is Where
do we start? Chances are you dont have very many of the necessary
technology components of each pillar deployed in your environment.
To help you decide how to start, ask and answer the following
questions:
Do we benefit from prioritizing network or endpoint controls
first? Although NAV solutions can provide visibility into key
networks, network security controls such as these arent sufficient.
You also need visibility into the endpoint. There are benefits and
limitations to each, and while you need both perspectives, you may
not have the budget and the staff to do both, so youll have to
prioritize (see Figure 7). For most organizations, network controls
provide quick wins that greatly improve visibility.
Do we have sufficient protections on the endpoint? You can
leverage network controls to gain quick wins, but that doesnt mean
you must delay implementing new endpoint controls based on use
cases. Forrester recommends starting off by deploying
preventive-based controls to high-value targets like domain
controllers and other critical assets. Next apply EVC to laptops
that move in and out of your environment. A company like Bit9 can
cover each use case with its traditional preventive whitelisting
offering combined with the visibility of its Carbon Black
acquisition.20 You can consider companywide EVC deployments to give
you maximum visibility, but the expense and operational costs of
this is probably not the best use of your limited resources, unless
you already have capabilities in the other pillars.
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 15
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
How do we best plot the transitioning from SIM/SIEM to SA? The
migration from SIM/SEIM to SA is going to take time. SA is in its
infancy; there are no turnkey solutions out there. To build a solid
foundation for your SA migration, focus on staff. You must have
data analytics capabilities. It would also be helpful to start your
analytics projects on structured data first. Rushing to do
analytics on unstructured data without first having effective
people, process, and technology will be challenging. As we stated
above, analytics capabilities are also developing within individual
security controls, so take advantage of this. Work with your
current vendors and find out how theyre building upon their
analytic capabilities and then take advantage of them.
How much are we to spend on malware analysis? Malware analysis
plays a role in the detection of attacks, but against sophisticated
adversaries, it has diminishing returns. So how should you
prioritize your investment? Depending on your threat model,
deploying NAV capabilities at Internet ingress/egress first could
offer better returns on your security investment. Malware analysis
that is embedded as a feature in a broader offering allows you to
acquire multiple pillars at once, potentially saving money for
investment in another pillar.
Figure 7 You Must Balance Endpoint And Network Security
Controls
Source: Forrester Research, Inc.116182
Endpoint approach Network approach
No visibility when endpoints areoutside the perimeter
(unlessSaaS is used)
Challenges determining theimpact on the endpoint
Out-of-band deployments offerquick, transparent way to
getvisibility
Avoid challenges associatedwith endpoint securitydeployments
Scalability challenges fordistributed enterprises; directto Net
exacerbates this
Visibility beyond the perimeter;follows endpoints in
extendedenterprise
Expedites response; able todetermine if a host has
beencompromised
Endpoint visibility can improvemean time-to-detection;endpoint
prevention can stopexecution of malicious activitybehavior
Something else on theendpoint; has the traditionalendpoint
security challenge
Consumerization BYOD/BYOCdeployment challenges
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 16
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
W h at i t m e a n s
DeTeCTIoN aND ResPoNse RequIRe aN INTegRaTeD TeChNology
sTaCK
Its important that you develop a road map for building out each
of the technology pillars. You must remember that creating an
integrated portfolio that enables orchestration should be a core
tenet of your architectural, process, and product/service
decisions.21 When evaluating technology, prioritize vendors that
offer multiple pillars as well as those that have third-party
integrations that make operationalizing the solution effective. You
dont necessarily need a single pane of glass but you should have a
common user experience. This will help you avoid amassing point
products that add more overhead than security control. Without an
integrated technology stack, you will never be able to improve
time-to-detection, containment, and remediation.
suPPleMeNTal MaTeRIal
Methodology
Forresters Forrsights Security Survey, Q2 2013, was fielded to
2,134 IT executives and technology decision-makers located in
Canada, France, Germany, the UK, and the US from SMB and enterprise
companies with two or more employees. This survey is part of
Forresters Forrsights for Business Technology and was fielded from
March 2013 to June 2013. ResearchNow fielded this survey online on
behalf of Forrester. Survey respondent incentives include points
redeemable for gift certificates. We have provided exact sample
sizes in this report on a question-by-question basis.
Forresters Business Technographics provides demand-side insight
into the priorities, investments, and customer journeys of business
and technology decision-makers and the workforce across the globe.
Forrester collects data insights from qualified respondents in 10
countries spanning the Americas, Europe, and Asia. Business
Technographics uses only superior data sources and advanced
data-cleaning techniques to ensure the highest data quality.
eNDNoTes1 Source: Business Dictionary.com
(http://www.businessdictionary.com/definition/Pareto-principle.html).
The Pareto principle states that for many events, roughly 80% of
the effects come from 20% of the causes.
2 We have covered alternatives to antivirus in-depth in a
previous report. See the June 9, 2014, Prepare For The Post-AV Era
Part 1: Five Alternatives To Endpoint Antivirus report.
3 We have covered the acquisition of Cyvera in-depth in a
previous report. See the March 25, 2014, Quick Take: Palo Alto
Networks Acquires Cyvera report.
4 Source: Exploit switches off Microsoft EMETs protection
features, Help Net Security
(http://www.net-security.org/secworld.php?id=17080).
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 17
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
For further explanation of this concept, please read the recent
Offensive Security article post, Disarming Enhanced Mitigation
Experience Toolkit (EMET). Source: Offensive Security
(http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)
5 This is one of the primary reasons that many intrusion
prevention systems (IPS) are deployed as intrusion detection system
(IDS.) No one wants to block valid applications from being
used.
6 Security leaders must realize that human factors contribute to
the success of a security control as much as the risk reduction of
the security control itself. Security leaders who choose to ignore
human factors run the risk of user security mistakes and even a
full security breach. There are three human factors that contribute
to the success of a security control and six human factors that act
as resistors to effectiveness. For more information, see the May
28, 2014, Raise The Security Bar With Human-Factor-Friendly Design
Concepts report.
7 Source: Kyle Russell, A16z Invests $90 Million In Tanium, An
Enterprise Systems Management Startup, TechCrunch, June 22, 2014
(http://techcrunch.com/2014/06/22/a16z-invests-90-million-in-tanium-an-enterprise-systems-management-startup/).
8 Habit No. 1: Are self-aware; Habit No. 2: Understand
technology benefits and limitations; Habit No. 3: Establish
realistic reporting and metrics; Habit No. 4: Are scalable; Habit
No. 5: Collaborate internally and externally; Habit No. 6: Actively
engage executives; and Habit No. 7: Operate with autonomy. See the
April 17, 2013, Seven Habits Of Highly Effective Incident Response
Teams report.
9 We have previously covered the role of threat intelligence
in-depth in a previous report. See the January 15, 2013, Five Steps
To Build An Effective Threat Intelligence Capability report.
10 For more information on how to act on this actionable
intelligence, please see the January 15, 2013, Five Steps To Build
An Effective Threat Intelligence Capability report.
11 Source: Sai Omkar Vashisht and Abhishek Singh, Turing Test In
Reverse: New Sandbox-Evasion Techniques Seek Human Interaction,
FireEye Blog, June 24, 2014
(http://www.fireeye.com/blog/technical/malware-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-human-interaction.html).
12 We have covered the key components of a Zero Trust network
in-depth in a previous report. See the November 15, 2012, Build
Security Into Your Networks DNA: The Zero Trust Network
Architecture report.
13 We have covered NAV tools in-depth in a previous report. See
the January 24, 2011, Pull Your Head Out Of The Sand And Put It On
A Swivel: Introducing Network Analysis And Visibility report.
14 We have covered the convergence of some NAV and SIM/SIEM in a
previous report. See the August 9, 2012, Dissect Data To Gain
Actionable INTEL report.
15 We have covered the characteristics of several EVC solutions
in-depth in a previous report. See the June 9, 2014, Prepare For
The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus
report.
16 Source: Brian Krebs, Security Firm Bit9 Hacked, Used To
Spread Malware, Krebs on Security, February 8, 2013
(http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/).
-
For Security & riSk ProFeSSionalS
targeted-attack Hierarchy of needs, Part 2 18
2014, Forrester Research, Inc. Reproduction Prohibited July 24,
2014 | Updated: July 25, 2014
17 Dissect Data To Gain Actionable INTEL: The real value of SIM,
and its survival, depends on big data analytics for situational
awareness. Known as security analytics (SA), it involves looking
beyond network security data to include the collection and analysis
of new types of IT data that will transform SIM into an SA tool
that provides both security and IT analytics. For S&R
professionals, context is key to security analytics. This will help
identify events that are happening now but also assess the state of
security within the enterprise in order to predict what may occur
in the future and make proactive security decisions. See the August
9, 2012, Dissect Data To Gain Actionable INTEL report.
18 Source: CrowdStrike Releases Endpoint Activity Monitoring
Application, CrowdStrike press release, February 20, 2014
(http://www.crowdstrike.com/news/crowdstrike-releases-endpoint-activity-monitoring-application/index.html).
19 We have covered the acquisition of NetCitadel in-depth in a
previous report. See the June 19, 2014, Brief: Proofpoint
Strengthens Its Targeted Attack Defense With NetCitadel Acquisition
report.
20 We have covered the merge of Bit9 and Carbon Black in-depth
in a previous report. See the February 14, 2014, Quick Take: Bit9
And Carbon Black Merge report.
21 The fourth tier in the targeted-attack hierarchy of needs: An
integrated portfolio that enables orchestration.
-
Forrester Research (Nasdaq: FORR) is a global research and
advisory firm serving professionals in 13 key roles across three
distinct client segments. Our clients face progressively complex
business and technology decisions every day. To help them
understand, strategize, and act upon opportunities brought by
change, Forrester provides proprietary research, consumer and
business data, custom consulting, events and online communities,
and peer-to-peer executive programs. We guide leaders in business
technology, marketing and strategy, and the technology industry
through independent fact-based insight, ensuring their business
success today and tomorrow. 116182
Forrester Focuses On Security & Risk Professionals to help
your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk
while
optimizing security processes and technologies for future
flexibility.
Forresters subject-matter expertise and deep understanding of
your
role will help you create forward-thinking strategies; weigh
opportunity
against risk; justify decisions; and optimize your individual,
team, and
corporate performance.
sean Rhodes, client persona representing Security & Risk
Professionals
About Forrestera global research and advisory firm, Forrester
inspires leaders,
informs better decisions, and helps the worlds top companies
turn
the complexity of change into business advantage. our
research-
based insight and objective advice enable it professionals
to
lead more successfully within it and extend their impact
beyond
the traditional it organization. tailored to your individual
role, our
resources allow you to focus on important business issues
margin, speed, growth first, technology second.
foR moRe infoRmation
To find out how Forrester Research can help you be successful
every day, please contact the office nearest you, or visit us at
www.forrester.com. For a complete list of worldwide locations,
visit www.forrester.com/about.
Client suppoRt
For information on hard-copy or electronic reprints, please
contact Client Support at +1 866.367.7378, +1 617.613.5730, or
[email protected]. We offer quantity discounts and
special pricing for academic and nonprofit institutions.
Forresters Targeted-Attack Hierarchy Of Needs ContinuesYou Must
Build Each Tech Pillar Of The Breach Detection StackBalance The
Pillars Based On Your NeedsDetection And Response Require An
Integrated Technology StackSupplemental MaterialEndnotes