Gartner: 'Five Styles of Advanced Threat Defense' can protect enterprise from targeted attacks

Report defines technical "styles" that are ways to tackle the threat of stealthy attacks

Attackers want to compromise networks and computers to steal sensitive information from the enterprise by using sophisticated malware. Research firm Gartner says IT can protect the enterprise against targeted attacks in five basic ways, and recommends combining at least two of them together for best effect.

Gartner's report, "Five Styles of Advanced Threat Defense" defines technical "styles" that are ways to tackle the threat of stealthy attacks, sometimes called advanced persistent threats, beyond simply using traditional security, such as anti-virus or firewalls.

The report is based on an analysis of the security products in the market designed to help identify stealthy attacks or collect forensics on compromised systems. Gartner categorizes these into five technical approaches it refers to as specific "styles" in a framework of security.

According to Gartner, it's central to first think about the timeframe of an attack aimed at stealing critical data. There are real-time (or near-time defenses) that can be put in place. But other tools should be considered "postcompromise" when an attack has unfortunately been successful and there's a need for forensics. In its report, Gartner notes some security vendors will have products that do some of both.

[MORE GARTNER:Gartner: The Top 10 IT altering predictions for 2014

RELATED:Gartner: 64% of organizations looking at Big Data projects this year]

In general there's a need to analyze inbound and outbound network traffic to detect compromised endpoints, and to do this, agent software is not required on the endpoint. There's also a need to look at the payload of the attacker. A sandbox approach, by using a safely isolated simulation environment, can observe how payloads behave, with the goal of flagging them as dangerous. Gartner notes that there's a need to determine how endpoints have been impacted by malware -- but that typically carries significant operational costs to manage and deploy on the endpoint, Gartner says.

In short, Gartner's "Five Styles" of defense are:

Style 1 Use Network Traffic Analysis techniques to establish baselines of normal traffic patterns, (for example anomalous DNS traffic could indicate botnet traffic) and highlight anomalous patterns that represent a compromised environment. This approach offers real-time detection and can include both non-signature and signature-based techniques, and endpoint agents aren't required. But the challenge is it might require "careful tuning and knowledgeable staff to avoid false positives," Gartner points out. If the product is an out-of-band tool, it will have a limited ability to block attacks and may not monitor traffic from off-network mobile endpoints. A sampling of vendors with products in this category would be Arbor Networks, Damballa, Fidelis, Lancope and Sourcefire's AMP, according to Gartner.(Sourcefire was recently acquired by Cisco).

Style 2 Network Forensics typically provide "full-packet capture and storage of network traffic" as well as analytics and reporting tools for incident response of advanced threats. The advantages they bring include reducing incident response time and they can reconstruct and replay flows and events over days or weeks, along with sometimes offering detailed reports to meet regulatory requirements. The downside? These tools can be complex and costs "rise with the amount of data and the retention time." Sometimes generating reports needs to be done off-hours due to how they analyze large amounts of data. Among the vendors in Style 2 are said to be Blue Coat (Solera Networks) and RSA (NetWitness).

Style 3 Payload Analysis can use a sandbox technique (either on premises or in the cloud) to detect targeted attacks on a near-real-time basis, but they typically don't "enable a postcompromise ability to track endpoint behavior over a period of days, weeks and months," Gartner notes. (To do that, look to Gartner's Style 5 (Endpoint Forensics).  Gartner adds Gartner clients currently often voice the opinion that Payload Analysis products have varying ability to accurately detect malware. The advantage they have, though, is that they can detect malware that successfully bypasses signature-based products. Some have optional blocking capability. The challenges in using Payload Analysis, though, is that behavioral analysis can take several seconds or minutes to complete, allowing the malware to pass through into the network to potentially compromise endpoints., especially when the malware uses evasion techniques such as sleep timers in which it executes on a delayed response. Some vendors are trying to thwart this, though, Gartner adds. Other drawbacks to this approach are that Style 3 doesn't "provide validation that the malware executed on endpoints."

And just because the malware behaved a certain way in a simulated environment, doesn't mean it will act the same way when it hits real targets. Some Payload Analysis products only support a limited range of payloads, such as executables only, according to Gartner. Most support Microsoft Windows, a few cloud approaches support Android, but Gartner sees none supporting Apple Mac OS X.

Examples of Style 3 would be AhlLab, Check Point with its Threat Emulation Software Blade, FireEye, Lastline, McAfee with its ValidEdge acquisition, Palo Alto Networks with Wildfire, ThreatGrid and Trend Micro with Deep Discovery, says Gartner.

Style 4 Endpoint Behavior Analysis is based on the idea of "application containment to protect endpoints by isolating applications and files in virtual containers. Other innovations in this style include system configuration, memory and process monitoring to block attacks, and techniques to assist with real-time incident response." This Style 4 approach requires an agent on every endpoint, Gartner says. It can "intercept kernel system calls and block malicious activity such as thread injection attacks," and "by isolating Web browsing sessions, protect users from malicious websites, including drive-by download sites and watering holes.'"

The strength of this approach is blocking zero-day attacks, provides some basis forensics, and protecting systems whether they are on or off the network, but the challenge is that deploying and managing the agent software is operationally intensive and particularly hard in bring-your-own-device (BYOD) environments. Examples of vendors here include Blue Ridge Networks, Bromium, Invincea, Sandoxie and Trustware. Vendors that support memory monitoring include Cyvera, ManTech/HBGary (Digital DNA) and RSA's Ecat.

Style 5 The last style in the Gartner style catalog is Endpoint Forensics, which involves tools for incident response teams. These endpoint agents collect data from hosts they monitor. They can help automate incident response and monitor hosts on and off corporate networks.  The challenge in using them, though, is they can be operationally intensive to deploy and manage, and support for non-Windows endpoints is quite limited. Examples of Style 5 vendors with tools include Bit9, Carbon Black, Guidance Software with its EnCase Analytics, Mandiant and ManTech/HBGary's Responder Pro.

In segmenting out its "Five Styles" of defense against advanced threats, Gartner advises enterprises to pair at least two "styles" together, such as using both Style 3 for Payload Analysis with Style 5 for Endpoint Forensics.

"Some Payload Analysis vendors have integrated their solutions with Endpoint Forensics vendors, which helps reduce incident response time. Network Traffic Analysis (Style 1) and Endpoint Forensics (Style 5) will provide similar benefits, but there have been fewer partnerships between vendors in these styles." Gartner analyst Lawrence Orans says vendor partnerships are a factor in this decision-making process. Also, some Styles are still quite Windows-centric, whereas Network Analysis is not. "I do see people combining two or more styles together, and there needs to be more of it," he adds.

The Gartner report contains a number of other suggestions on logical combinations of "Styles" as well. Gartner also notes that some vendors, especially the larger ones, are already delivering products that integrate two or more styles. However, the possible downside of enterprises choosing the single vendor approach, Gartner adds, is that "they sacrifice best-of-breed functionality from pure-play vendors that focus on only one style."

Gartner's observations about its Five Styles framework to combat advanced persistent threats to steal enterprise data doesn't mean abandoning more traditional security such as anti-virus, Orans says. The Five Styles framework is specifically for those enterprise security managers willing to "lean forward" into trying focused approaches aimed at keeping dangerous intruders out.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gartnersecurityanti-malwareWide Area Network

More about AMPAppleArbor NetworksArbor NetworksBlue Coat SystemsCheck Point Software TechnologiesCiscoCisco SecurityCisco SecurityFireEyeGartnerGuidance SoftwareIDGLancopeMcAfee AustraliaMicrosoftPalo Alto NetworksRSASolera NetworksTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts