Академический Документы
Профессиональный Документы
Культура Документы
CYBERSECURITY
The attacks themselves are more complex too, composed of multiple layers and
techniques, each outsourced to specialty groups, ensuring zero-day effects. This they
achieve by making sure nothing stays constant. Each stage in the attack changes by
leveraging morphing techniques, such as dynamic DNS, fresh URLs for command and
control (CnC), self-destruct tools, and more. Yesterdays zero-day code has already been
packaged and sold to other cyber criminals for use in secondary campaigns. In short,
the threat landscapes rate of change is accelerating rapidly, increasing the security gaps
organizations must deal with and leaving them more exposed than ever before.
As surprising as it may sound, the new tactics of cyber criminals are not as new as
you might think. Attackers actually recycle many of the same attack components. In
fact, as many as 90 percent of these so-called new attacks can be prevented simply
by correctly using existing security technologies as part of an end-to-end cybersecurity
plan1. Attackers typically use the most proven forms of attack because they work.
And they work because organizations are often several steps behind in patching their
systems and updating their defenses against the latest attack methods.
Cybercrime has become a booming industry, accelerating in the last 5 years, complete
with automated tools, customer support, and guarantees for product effectiveness.
The commoditization of new attacks and weaponized tools means that even the most
amateur hacker can now effectively deliver professional-level threats into a targeted
organization.
Its no wonder security professionals keep asking: What can we do to protect ourselves
and our customers from these new super villains? hoping to hear about some shiny
new product that will solve all of their security problems and provide protection against
every new threat.
Gain total visibility. Inspect all data and cut through the overwhelming volume of
alerts and manual processes associated with operating many discrete security prod-
ucts designed for singular functions.
Efficiently correlate information to identify infected systems and weaknesses
throughout the network, cloud, and endpoints and then execute protection across
the network, devices and data.
Reduce the gaps between detection, analysis, and protection while keeping up with
new threats composed of various tools, technologies, and vectors.
And this isnt easy. So, what should your plan be?
Reconnaissance Weaponization
Just like burglars and thieves, cyber criminals carefully Next, attackers create tailored exploits, and combine
plan their attacks. They research, identify, and select them with malicious payloads, to leverage weaknesses
targets, often using phishing tactics or extracting public theyve found during the reconnaissance stage.
information from LinkedIn profiles or corporate websites. Because this stage is all done on the attackers side,
Cyber attackers try to learn as much as possible about security tools cannot defend against weaponization.
the systems youre running as they scan for services and However, tools like sandboxes and intrusion prevention
applications they can exploit and identify vulnerabilities systems (IPS) can help to defend against targeted
to target. Certain tools, like IPS and firewalls, can stop vulnerabilities and custom payloads packaged during
some of these tactics, specifically port scans and host this stage. Exploit kit protection can help make
sweeps. However, due to the public nature of the Internet, newly weaponized tools obsolete by decreasing their
investigation by cyber criminals into your users and effectiveness when theyre reused.
company affiliations is largely impossible to protect against.
Considering the attack lifecycle within the context of your organizations network architecture, and understanding how cyber criminals operate,
will help you to design a better cybersecurity strategy and build a holistic defense that dynamically identifies symptoms of infection, zeroes in on
the root cause, and prevents the disease.
To achieve cybersecurity is to successfully protect Multiple detection and prevention capabilities are necessary
your organizations electronic network and data against to enable teams to identify vulnerable interactions and
unauthorized use. You begin this process by determining what network components, effectively manage risk, and quickly
constitutes authorized use. First, you need to define who can mitigate attacks. In order to determine which tools you need to
interact with what, and how, typically using next-generation accomplish this for your organization, lets begin by reviewing the
firewalls with granular access control policies. Second, and the fundamental functions above that are designed to execute.
focus of this guide, is to ensure the integrity of those approved
The remainder of this Buyers Guide is divided into two sections:
interactions and make sure that theyre not corrupted by
the first section, 10 Things Your Next Cybersecurity Solution
hidden threats, which is no simple task. This is why you need
Must Do, outlines the architecture that is necessary for blocking
more than a single technology to achieve cybersecurity.
attacks and preventing breaches. The second section delves
Cybersecurity strategy has historically been limited to into how these 10 things help buyers navigate the request for
detectionmonitoring a few known attack vectors at the proposal (RFP) process and effectively evaluate a cybersecurity
Internet edge and on endpoints, and generating hundreds to solution.
thousands of alerts in an endless and reactive remediation
cycle. This strategy focuses on continuously relieving the
symptoms of high-priority threats, instead of correlating them
and directing attention to repairing the root cause, once and
for all. The unmanageable number of alerts and the constant
cycle of repetitive remediation has significantly contributed to
the fact that it takes organizations an average of 225 days to
detect targeted APTs (advanced persistent threats) launched
against them2.
1
Enforce allowed interactions
between your data and your users. Requirements
The network is at the core of your business. Like a virtual To reduce the sheer number of attacks to which your network
highway, it connects your users and customers to important and data are exposed, your cybersecurity solution must allow
data and dramatically increases productivity. And it must be you to effectively reduce the attack surface by granularly
protected. Data is constantly in transit, and because sources, identifying approved interactions between users and data based
destinations, and the paths in between them are becoming more on the specific data youre trying to protectwhat it contains,
and more virtualized, network traffic is increasingly complex. where its located, how it should be used, and by whom.
Roads that lead to critical data stores and valuable assets must Choosing a solution that promotes micro-segmentation is also
be protected because its not always obvious when access is important. Each network location likely behaves somewhat
abused. differently, and thus each requires a slightly different set of
Attackers look for the easiest way in, targeting users, devices, allowed behaviors. Identify and group users according to their
and applications to get to the data theyre after. They know privilege levels and to which data they should have access.
that organizations diversity of unsecured remote and mobile Whats more, the policies that you construct must be enforced
devices makes it easier for them to piggyback into the corporate within the context of applications traversing the network and
network. In addition to employees, customers and partners who their expected interactions. Granular network access policies
use these numerous applications and devices to legitimately are the foundation to reducing the attack surface and to
access data increases traffic complexity. blocking unauthorized transactions, as they provide the most
fundamental context around incoming and outgoing traffic.
As an organization becomes more connected, and the roads to
and from data stores significantly increase (e.g., multiple branch Its not enough just to protect the roads between users and
offices, private and public cloud environments and greater stores of data: the integrity of both users and the data itself must
numbers of remote users), the risk for successful breaches be verified and maintained.
skyrockets.
4
foothold within the target organization.
Complete, end-to-end threat identification for all applications, Outsmart advanced threats specifically designed
users, and devices in all locations, on and off the corporate to outmaneuver security tools.
network, is imperative for an effective cybersecurity strategy.
Advanced threats are designed to be evasive in order to
bypass security defenses. Sometimes, evasive traffic is not ill-
Requirements
intentioned, but instead meant to provide constant availability to
Know your business, know your network, know your usersyour
users. We can classify evasions into three groups:
team and your tools can only protect your organization from
the things they can see, so choose a cybersecurity solution that Network-level evasions involve packet order and sequence
gives you visibility into everything, everywhere. Assume that any modification. Tricks like fragmentation and obfuscation, in
application can carry threats and can run on any port. Monitor which a malicious payload is divided into separate packets or
incoming and outgoing traffic on both common and uncommon is separated by benign packets, are used to bypass intrusion
protocols, like POP, IMAP, and FTP, as well as files that may be prevention systems. Once inside the network, the packets are
deceptively dangerous, like Microsoft Office, PDFs, Adobe put together correctly and the malicious payload is assembled,
Flash files, and Android APKs. Selectively decrypt traffic using delivering an exploit. Whats more, an individual vulnerability
SSL and unpack compressed files regularly for inspection. that exists within either the network or an application can
be exploited in hundreds of different ways. Similarly, known
Choose a solution that allows you to more effectively segment
malware can be altered very easily with a simple hash or file-
your network based on expected interactions and behavior.
name change.
Control who and what can communicate, and how. Understand
how each application, user, and device is used, how they may Application-level evasions fall into two classes: those that are
be leveraged at different stages of an attack, and protect your expressly designed to evade security, like external proxies
network by protecting them. and encryption tunnels, and those that can be adapted to
3
easily achieve the same goal, like remote server and desktop
management tools. Not all evasive applications carry the
Protect data at multiple stages in the attack lifecycle. same risksremote access applications have legitimate
uses, as do many encrypted tunnel applications. However,
All attacks are comprised of multiple stages strung together attackers are increasingly adopting these same tools as part
to form the attack lifecycle, which was discussed earlier in this of ongoing persistent attacks. Without the ability to identify
guide. However, all stages must succeed before the attackers these security evasion techniques, control nested applications
objective can be met. The four key stages where where the and sub-features, analyze file payloads, and enforce security
opportunity to prevent the attack manifests are: delivery, policies on all of these, you can inadvertently expose your
exploitation, installation, and command and control. Stand-alone organization to uncalculated risk.
security tools, like traditional IPS or Web proxies that focus
User-level evasions include tactics like phishing and malvertising,
solely on one stage may fail, especially where new or unknown
where victims are tricked into clicking a link containing an
techniques are used. For instance, any application can be used
exploit kit or spoofed website, or opening an attachment that
for delivery or exploitation, installation can occur on any device,
executes malicious code on the victims machine. Attackers
6
and hash-based signatures, or by a smaller set of payload-
based signatures capable of detecting and preventing multiple Be up to date with intelligence and
variations individually. Smart signatures capable of uncovering protections against the latest attacks.
threats deep within each packet and file and comprehensively
Threats are constantly changing as attackers evolve their methods
across many protocols, file types, exploits, and hashes offer
in a continuous effort to be more deceptive and evasive. We can
increased protection, as well as future protection against
group attacks into two types:
variation and reuse of the same attack components.
Targeted attacksare aimed at specific groups or organizations
Also consider the granular detection capabilities within
within any given industry. Making matters worse, they target
sandboxing and URL filtering tools. They should be able to
particular individuals or systems with known vulnerabilities, and
determine whether email links and individual web pages are
deploy exploits or malware that leave those systems defense-
malicious, detect malicious code hidden within commonly used
less. It is vital that the infection be identified quickly after a
file types and compressed files, and put prevention mechanisms
targeted attack. Components must be detected and defenses
in place to identify and protect your users from being deceived.
must be customized and distributed across the infrastructure
(i.e., other devices and network segments), to contain the
5
spread of infection.
Facilitate the translation of new intelligence Opportunistic attacksin which an attacker casts a wide net in
into protections within security policies. hopes of infecting as many victims as possible. Opportunistic
Sophisticated attacks are designed to leverage vulnerable users attacks are less customized to specific organizations, but can be
or systems to stealthily enter the network, carefully avoiding just as dangerous as targeted attacks. In opportunistic attacks,
techniques that will trigger traditional defenses and remaining viruses and bots are typically used to propagate the infection
inside the network for prolonged periods of time, slowly widely and rapidly, compromising thousands and sometimes
chipping away at their objectives so as not to arouse suspicion. hundreds of thousands of devices across many organizations.
Knowing when and how other organizations were attacked can
The challenge with sophisticated attacks for security teams is provide valuable intelligence that may help you to determine if
that some of the attack components may be completely new your organization has been infected with the same threat and
true zero-day threats. Furthermore, those threats, when taken prevent you from being victimized in the future.
by themselves, may not indicate anything interesting that you
The rate at which attacks are changing dictates that what
and your security team should investigate.
protected your network against attacks this morning may not
In 60 percent of attacks4, it only takes minutes for compromise be effective against attacks being launched in the next few
to occur. This infection speed necessitates the quick translation minutes. Keeping prevention capabilities within your security
of data into intelligence, and then into protections that are technologies as current as possible helps to minimize risk of
enforced, allowing you to prevent network and device infection infection and restricts attackers to threats containing pristine,
in near real-time and rely less on manual research-and-remediate
processes after compromise has already occurred.
Requirements Requirements
While a dedicated threat research team is important, it is rarely There are different ways cybersecurity solutions handle detection
enough. Attackers are automating new threats, and therefore, logs and incident reports. Look for those that offer:
your data-to-protection process must also be automated if it is
Correlated threat logs across each detected stage in an attack.
to stay ahead of the evolution. To do this, your cybersecurity
solution must be able to: Alerts to high fidelity indicators of compromise through active
searches, including identifying the infected device beyond simple
Compile threat data quickly from new attacks into intelligence. IP addresses.
Produce protections against those threats as soon as attackers Consider a solution that correlates suspicious behaviors to highly
operationalize them. This includes attacks on your network and accurate infection alerts, so you know with complete confidence
other organizations around the world. that infection has taken place and can prioritize accordingly to
Consider investing in tools that: swiftly limit the networks exposure. Remember that, because
many attackers will try to leverage uncommon, and therefore
Analyze threats seen around the globe. likely undefended attack vectors, any threat analysis tool must
Generate new signatures for future protection that prevent at also cover all locations and devices within your infrastructure.
each attack stage automatically.
Deliver those protections to all policy enforcement within Threat logs correlated with in-network heuristics, such as a
your network, proactively preventing threats seen by other specific vulnerability exploit combined with a specific malware
organizations from infecting your network. download and subsequent attempts to reach specific domains at
Generated protections should be smartan individual signature abnormal times, can inform you of both the original victim device
should protect against multiple variations of the originally and the direction of the threats lateral movement with a great
analyzed threat to ensure maximum coverage. Additionally, deal of accuracy.
technologies that provide automated detection and prevention
Consider a solution that does more than merely alert you to
capabilities should also provide you with tools to help mitigate
infections; for instance, one that isolates compromised devices
any current network infection.
7
from the rest of the network or blocks them from outbound
communication. Keep in mind that mitigation planning should
be done as part of disaster recovery tacticswhat to do in an
Enable quick and accurate mitigation. emergency situationbut it shouldnt be the norm. Secure your
Youve likely heard the phrase, Theres no silver bullet. Vendors infrastructure to prevent most attacks, so that infection alerts
use this phrase to express that even the most advanced defense that necessitate emergency remediation actions arent an
capabilities cannot guarantee 100 percent protection from zero- everyday occurrence.
day attacks.
8
After being hit by a sophisticated attack, its critical to identify
Coordinate actions comprehensively across
the infection quickly and protect other devices and network
segments against its spread. Because most network defenses individual security technologies.
comprise best-of-breed tools from multiple vendors, prevention Throughout our lives, stress is put on the importance of working
becomes difficult. The process is arduous, highly manual and as a team because we know we can achieve optimum efficiency
time consumingespecially if threat data is isolated in different through coordinated, yet specialized action. The same is true when
systems and stored in different locations. it comes to cybersecurity. Security technologies and individual
Thus, mitigation and remediation planning continue to be an sensors throughout your network contain information-gathering
important part of an organizations cybersecurity strategy. and enforcement capabilities that, if built to work together, have
However, relying too heavily on continuous remediation to solve the power to make your teams efforts to secure the organization
security problems is costly and does nothing to prevent breaches more effective. Being able to identify individual pieces of an
from happening. attackwhats going on in a given attack stageand correlate
those pieces to create a larger picture of the attack as a whole is
As weve seen in the attack lifecycle, infection doesnt necessarily essential to effectively stopping it. The big picture sets the context
mean youve been breached. If youre able to prevent outbound of the attack for understanding where gaps in security may exist,
communication with attackers (command and control), youve where protections must be created, and distributing enforcement
effectively caused the attack to fail, even though you may still to block the attack and close those gaps.
10
immediately alert you to infection, regardless of location.
9
available on one device within one interface, gives security
teams a complete view of whats going on within their
Keep your business running. network infrastructure and data, without hassle.
Many organizations struggle when it comes to choosing
Requirements
between securing the organization and enabling the thousands
Although we can automate many processes needed for
of applications that accelerate business efficiency and
mitigation and risk assessment, human interaction is still required
profitabilityone of these is usually sacrificed. More often than
at some point. Natively integrated security technologies that run
not, turning on security features means that users must accept
on a single device allow you to easily glimpse whats going on
high latency or worse, restriction from using the applications or
with each data flow; search for, correlate, and prioritize critical
accessing the data they need. If your cybersecurity solution is
security events; and make it simple to granularly adjust policy
architected correctly, this compromise is unnecessary.
based on present events. Its especially helpful if policies can
Requirements be updated once and that update applied to multiple functions,
Reducing the attack surface is a key component to maintaining instead of having to make the same update several times in
usability. Eliminating unknown or unnecessary traffic and data multiple places to achieve your desired security coverage.
interactions reduces the amount of allowed traffic that must be
scanned for threats, which lightens the processing load that your Look for a cybersecurity vendor who correlates security data
cybersecurity tools must take on. both at a local level, so you know exactly whats going on in
your network and can respond accordingly, and on a global level,
Cobbling together stand-alone security functions from different providing you with actionable intelligence on threat campaign
technological origins or several blades usually means there are details. That way, you can make informed decisions on how to
redundant networking layers, scanning engines, and policies, keep your organization safe from future attacks simply
which translates into more complexity for you and a higher and efficiently.
probability that desired applications arent safely enabled or
enabled at all. The latter outcome can also mean an increased
number of IT support cases submitted by frustrated users.
The previous section established the 10 key requirements your next cybersecurity solution must have; this section will translate those
requirements into tools you can use to identify and select a cybersecurity vendor. There are many elements to consider when evaluating
how effectively a vendor can deliver application, user, device, and data security. Cybersecurity technologies sitting out of band in alert-only
mode are better than not having any security at all. However, in this context, theyre not actually securing anything. Your ultimate goal in
evaluating and implementing any cybersecurity solution should be to secure your organization by preventing threats in real time.
Consider the following questions and statements when How does the solution address BYOD issues?
issuing an RFP:
If a client component is included as part of the solution, how
Describe segmentation requirements. How many is it distributed to each client and maintained?
users, servers, or virtual machines can be supported
simultaneously?
Provide a detailed description, including all necessary
components, of the available options for securing remote
How does the solution address the allowance for, or denial users.
of applications? Is the solution capable of performing multiple file format
analysis, including but not limited to LNK, Microsoft objects,
PDF, EXE, SWF, DLL, JAR, CLASS, SCR, and APK?
5
Gartner, Prevention Is Futile in 2020, 2013
6
Gartner, The Future of Information Security Is Context Aware and Adaptive, 2010
device, or behavioral context from another security tool? Are the application identification mechanisms dependent on
the applications standard port?
How is application state tracked and utilized to ensure
consistent contextual awareness to secondary functions? Can threat policies be applied to an application on all ports, and
is the process automatic or manually configured?
Describe in detail how traffic is accurately contextualized.
Does the solution have the ability to deny unknown traffic?
Which mechanisms besides signatures are used to
contextualize traffic?
Is the solution able to identify users, and what is that
Describe the breadth of application and file protocol decoder use. identification based on?
How are SSL and SSH decryption implemented? What
with?
third-party directory services does the solution integrate
Describe the coordination between prevention technologies. How do the prevention mechanisms scan content within
compressed files like ZIP?
Are these prevention technologies hardware or software Describe threat research and development processes.
add-ons?
How are these prevention technologies licensed? How effective are malware signatures?
How many malware variants can a single signature prevent?
How does the solution defend against lateral movement?
Describe how the solution detects custom or polymorphic How many external threat intelligence sources are fed into the
malware. solution?
What mechanisms are used to block these types of malware? Describe how the solution handles rapidly changing command
and control domains.
How does your sandboxing feature address the use of
multiple application versions? Describe how the solution handles legitimate websites or
Does the device include built-in virtual execution environments
within a single appliance to simulate the file activities and find
domains that have been compromised.
Is the solution able to analyze files for zero-day threats and Does solution management require a separate server or
mitigate them within minutes? device?
How does the solution accurately identify infections? Does the solution have a separate management system with
dedicated CPU, memory and disk?
How does the solution rate infection severity and fidelity?
Describe all of the management options that are supported:
How does the solution correlate suspicious behaviors for Command line interface (CLI)? Browser? Software client?
devices across multiple segments within the organization? Centralized server?
Are infection reports logged in real time? For each of the management alternatives supported, describe
how much effort is required to move from one management
How quickly are protections or blocking actions enabled after technique to another.
identifying an infection?
Describe the centralized management architecture and
deployment options.
Describe the traffic mix used to produce the published Describe how management access is ensured when the
performance metrics for: device is under heavy traffic load.
Application control Describe the relationship between individual devices and the
centralized management of multiple devices.
Application control + logging
Application control + IPS Describe the difference in management between hardware
Application control + IPS + AV and virtualized instances.
Application control + IPS + AV + anti-spyware Are different or separate devices required to secure public and
private cloud environments?
What is the rated throughput for:
Application control
Application control + logging
Application control + IPS
Application control + IPS + AV
Application control + IPS + AV + anti-spyware
Does the sandboxing feature add latency for the end user,
and if so, by how much?