ONOX HILL, Md. -- According to a 20-year Gartner analyst, enterprises have long over-spent on threat prevention and under-spent on detection and response, but that doesn't mean legacy prevention-centric security technologies are going away anytime soon.
During a session Monday on the evolving paradigm of continuous advanced threat protection at the 2014 Gartner Inc. Security and Risk Management Summit, Neil MacDonald, vice president and distinguished analyst, said traditional technologies like firewalls, intrusion detection and prevention systems (IDS/IPS) and antimalware fail to detect targeted attacks.
We don't know what to look for when nobody else has seen it. The [signature] model breaks down.
VP and distinguished analyst, Gartner
And that's because it's impossible to develop a signature for an attack nobody has seen before.
"We don't know what to look for when nobody else has seen it. The [signature] model breaks down," MacDonald said. "How you protect yourself from a shotgun blast is very different than how you protect yourself from a sniper's bullet. Traditional protection mechanisms are geared toward those noisy mass attacks."
The need to detect advanced, targeted attacks and quickly respond to them has led many enterprises to implement a new breed of security products that focus on rapid attack detection and response. According to MacDonald, these products seek to understand what "good" data or traffic looks like, and identify meaningful differences using techniques like baselining, anomaly detection and predictive failure analysis.
"It's one thing to protect yourself against random attacks," MacDonald said. "It's another to protect yourself against a highly motivated adversary, funded at nation-date level."
Instead, he advocated for what he called an "adaptive security architecture" -- a concept that combines technology that can predict and prevent attacks with products that can detect and respond to attacks that signature-based products miss.
"The idea is that this all works together," MacDonald said. "You won't have signatures before an attack, but you might have them after the attack, so you need the ability to push out new signatures and rule sets to endpoints and networks after you know what to look for."
Vendors evolving, some more than others
MacDonald noted that the need for adaptive security architectures has triggered a land-grab among vendors, large and small, trying to expand their reach, with many rapidly transforming as investors pour money into startups and acquisitions.
FireEye Inc. is at the top of the list, MacDonald said, not only with its January acquisition of Mandiant, but also recently by adding integrated, low-cost IPS capabilities to its threat prevention platform. Meanwhile, Palo Alto Networks Inc., arguably FireEye's arch rival, has been building on its strength in traditional next-generation firewall and IPS products by acquiring Morta Security to augment its WildFire cloud-based content-detonation sandboxing service.
MacDonald noted that scores of other vendors -- including Cisco Systems Inc., BlueCoat Systems Inc. and Bit9 Inc. -- have all made acquisitions to try to claim more parts of prevention, as well as detection and response.
Eventually, MacDonald said, these vendors' products will be tied together through central enterprise security bus systems in which events and other relevant metadata will be shared among various security products in a standardized way. He noted McAfee's security management platform as a uniquely strong offering in this nascent market.
MacDonald said this technology needs to evolve because security vendors' products are typically siloed and not effective at sharing information with a broad set of other products.
"It doesn't always have to come from one vendor, but what's lacking across vendors is the exchange mechanism for this type of contextual information," MacDonald said. "The industry has to come together and define it, or have one vendor stand up and put all the pieces together."
Despite the changing vendor landscape, MacDonald refuted the widely held notion that the days of signature-based security technology are numbered.
"For those organizations invested heavily in firewalls and host-based IPS, those are still needed, but [they are] less relevant," MacDonald said. "Signature-based products are still important. You just won't always have [signatures] in advance."
Still, he wasn't afraid to criticize the industry's largest vendors -- Symantec Corp., McAfee (now owned by Intel Corp.) and Trend Micro -- for their passive strategies and lack of recent product innovation.
"Where are the 'leaders'? Not leading. Following," MacDonald said. "The vendors that are really leading are the ones out there innovating."
Ultimately, MacDonald recommended enterprises look to renegotiate the costs of commoditized technologies like antimalware, IPS and encryption in order to shift that spending to detection and response. He also said organizations that don't have the in-house staff to support enhanced security response technology should strongly consider one of the growing number of managed threat detection services.
Attendee Karen Carman, director of information security and services for Kingsport, Tennessee-based Eastman Chemical Co., said her organization has been working on transitioning more from a prevention-oriented strategy to one based around detection and response by building central logging and data collection capabilities, and working internally with the data analytics group to learn how to make actionable decisions quickly.
"It's hard work," Carman said. "You always find more data, so it's much easier to put more information into the pile than to try to focus on those needles in the haystack and make sure we're taking action on that."
Alvin Riddle, senior director of IT risk management with Truven Health Analytics in Ann Arbor, Michigan, said despite MacDonald's advice, enterprises must be wary not to go too far toward detection and response. Perhaps the biggest challenge, he said, is creating the right ecosystem of products that can function well together.
"You don't want to have multiple vendors trying to integrate their products," Riddle said. "It's interesting to see, on the vendor side, where they're starting to put all of it together through acquisitions."