Nmedia - Fotolia
- Kathleen Richards, Information Security
One-third of readers, out of 3,062 surveyed, told us their security investments in the next 12 months are being driven by the need to protect against advanced threats not detected by traditional technologies. Which vendors ranked on top in the hunt for better defenses against advanced persistent threats?
Designed as another layer of defense to help organizations counter undetected malware and relentless attacks, advanced threat detection technologies monitor communications across the network for evidence of compromise. These tools and services identify potential threats through a range of techniques (analysis of traffic and executables, behavior patterns, source reputation). And many use sandboxing technology -- often with an intelligence cloud -- to analyze suspicious files and generate a signature or threat score.
“Some people just assume that advanced threat equals malware sandboxing,” says Anton Chuvakin, research vice president for security and risk management at Gartner. “Advanced threats are advanced, so surely there is no one safeguard that stops them.” Gartner outlines five styles of advanced threat detection so that companies realize that buying a box in and of itself is not enough. “Advanced threat detection isn’t one technology,” says Chuvakin. “You also need to do traffic analysis and look at the endpoint.”
Technology providers have different approaches to advanced threat detection, offering various combinations of threat intelligence, monitoring and big-data analytics. Which companies’ approaches ranked highest on the must-watch list, according to the readers surveyed?
Like other providers of enterprise security platforms, Cisco offers integrated threat detection with its security appliances. In 2013 the company raised the stakes when it acquired Sourcefire, known for its intrusion prevention system. That company’s threat focus and centralized management capabilities enabled the networking giant to add Advanced Malware Protection (AMP) first to its email, Web and cloud content gateways, and now to the Cisco ASA next-generation firewall. The Cisco ASA with Firepower Services dynamically combines IPS logs about known events with event data collected across the network and endpoints, including client applications such as browsers and mobile devices.
Symantec’s Advanced Threat Protection also got a boost in 2014 when the company moved away from signature-based controls to managed security services. The company’s MSS-ATP combines endpoint detection with correlation enabled by integration with the security technologies of third-party vendors, such as Check Point Software Technologies, Palo Alto Networks and Sourcefire (now Cisco).
Innovative technology to watch: In February, Check Point acquired Hyperwise, a stealth-mode company that is reportedly developing a “CPU-level” threat prevention system designed to detect threats prior to the malware phase. The company’s motto? “Thinking out of the sandbox.”
While several pure-play security vendors were voted onto the shortlist, Splunk (machine learning), Trend Micro, Websense (acquired by Raytheon in May) and Dell SecureWorks are also in the mix at many organizations.
How threats are actually detected is not the main concern, however. The majority of the readers, 59%, didn’t have a “preferred approach” to advanced threats outside of the “best defense”; 23% focused on network strategies; and 11% relied on faster detection through threat intelligence and security analytics.
As organizations invest in more layers of defense to prevent undetected intrusions and costly data breach, security professionals have deployed a range of technologies in their attempts to defend against advanced threats, according to the readers surveyed.
While 43% of readers have deployed some form of advanced threat detection, 57% of those surveyed said they did not have these technologies in their current environments.
Some of these tools are almost mainstream, according to Chuvakin, who says the meaning of “advanced” is relative. Security professionals should approach advanced threat from the visibility side, rather than with the idea that they will stop it. “The point is that you want to have visibility across the network and the endpoints,” says Chuvakin. “Because if you build a higher wall to counter the advanced threat, they would look at the higher wall and say, ‘Oh, they have a higher wall, I will have to get a longer rope.’” Next year, the advanced threat will certainly be able to climb that wall.
Data analytics tools are also useful, “because once I have the data, I can see them,” Chuvakin says.
Why you should look at enhanced threat detection when conventional security falls short
Readers’ Choice 2014 picks for threat intelligence tools
Find out more about the benefits of advanced threat detection products