Risk Professionals
Key Takeaways
Prevention Isnt Dead
There are innovative prevention technologies, but for these controls to be relevant, they
must demonstrate operational effectiveness and scalability. Solutions that are appealing
on datasheets must also work for modern enterprise. If done well, prevention can relieve
some of the daily operational burden and stress on S&R professionals.
No Single Technology Will Meet Your Breach Detection Needs
Investing in malware sandboxes alone isnt sufficient to defend the modern enterprise.
Youre going to need a combination of malware analysis, network analysis and visibility,
endpoint visibility and control, and security analytics.
Invest In Vendors That Provide Multiple Pillars
Prioritize the vendors who can supply you with multiple technology pillars. Make sure
that these vendors also offer a common user experience, and as many integrations
between their technologies as possible. Vendors that can enable the orchestration of
your defense should be at the top of your list.
Table Of Contents
WHAT IT MEANS
2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.
Detection
and
response
Prevention
116182
The Pareto principle applies. Not all attacks are targeted, and not all targeted attacks are from
state actors or other sophisticated cyberadversaries. If you can use prevention to eliminate 80%
of the attacks against your organization, you can focus your limited resources on detecting and
responding to the attackers that have the motivation and capability to do the greatest harm. You
dont want to be focusing on nuisance threats while skilled attackers are exfiltrating your most
precious data.1 At a minimum, prevention eliminates noise.
Prevention can be innovative. Prevention can do more than just eliminate noise. Dont think of
prevention as just antivirus (AV) blacklisting and IDS/IPS signatures; prevention can be much
more than that. During the past 18 months, we have seen the emergence of innovative solutions
at the endpoint, including: Bromium, Invincea, and IBM Trusteer.2 RSA Conference Innovation
Sandbox finalist, Cylance, as well as Cyvera (recently acquired by Palo Alto Networks) are
other examples of innovative endpoint security controls.3 The Microsoft Enhanced Mitigation
Experience Toolkit also provides this type of capability. Its important to note that even solutions
that are designed to prevent zero day attacks can be circumvented. In early July, researchers
from Offensive Security were able to disable all of EMETs protection.4 If you can prevent
something malicious from occurring in the first place, there is no need for response.
Prevention must not negatively affect the user experience. You can have the most effective
security control, but if it is so intrusive that employees cant work, it wont be in production for
very long.5 This applies to endpoint security as well; the poor user experience from training host
intrusion prevention system (HIPS) is a prime example. These new endpoint solutions must
demonstrate that they can be effective and transparent to users.6 Many organizations, concerned
about blocking legitimate actions, have adopted a lighter touch on the endpoint via endpoint
visibility and control (EVC) solutions.
Prevention must demonstrate operational effectiveness and scalability. The user experience
isnt the only perspective that S&R pros need to consider; the administrators experience
operationalizing the solution is also important. Dashboards and an intuitive user interface
enhance operational effectiveness. Scalability is another important consideration: Deploying a
solution to 100 endpoints is one thing, deploying a solution to 100,000 endpoints is an entirely
different matter. Tanium, a solution with endpoint visibility capabilities, just received $90
million in funding in part because of its ability to deploy at scale for very large enterprises.7
Prevention will always be a part of response. At a certain stage in detection, you will move to
response. Blocking adversary command and control is one example of prevention. Prevention
also occurs in the containment phase of response. From a network perspective, you might use
network access control to kill the switch port connected to the infected host. You might use
endpoint visibility and control to surgically kill a malicious process. You could also integrate
with Active Directory to prevent a compromised account from accessing the network. The real
questions regarding prevention are how will you integrate it into your portfolio and how can
you use it as a force multiplier for your protection.
Malware analysis
Threat
intelligence
Endpoint visibility
and control
116182
Security analytics
Dynamic analysis executes and observes malware. Virtual sandboxes are a popular method
for performing dynamic analysis. Advanced dynamic analysis introduces a debugger to observe
the internal state of an executable. These automated malware analysis solutions inspect code and
make a determination as to whether it is malicious in nature.
Dynamic malware analysis can be effective at detecting malicious code; however, adversaries
are well aware of this technology within their targets. This has led to a constant cat-and-mouse
game in which adversaries try to evade analysis and vendors try to enhance their solutions with
anti-evasion techniques. FireEye has written several blog postings illustrating the evolution
of sandbox evasion. Most recently, they wrote about evasion techniques that require human
interaction.11 Anti-evasion techniques are just some of the criteria that you need to consider
when evaluating automated malware analysis capabilities (see Figure 3).
Static analysis analyzes the code or structure of malware to understand how it functions.
Unlike dynamic analysis, static analysis does not run the malware itself at the time of analysis.
Malware authors make static analysis more difficult by obfuscating the execution of malware
and by using packers to compress executables. More advanced static analysis involves reverse
engineering the malware. Malware analysis solutions often include some very light static
analysis to help detect malcode that might not execute in a virtual environment.
Figure 3 Automated Malware Analysis Considerations, Key Evaluation Criteria, And Solutions
Automated malware analysis
Considerations A combination of dynamic and static analysis can detect malware that traditional
signature-based controls miss.
Sophisticated adversaries will circumvent dynamic malware analysis. Evasion detection
is important.
Many organizations are overwhelmed by malware alerts. Alert-driven security is a
reality.
Scalability is a challenge for on-premises malware analysis deployments when an
organization is distributed with many ingress/egress points.
Malware analysis solution must observe malicious code; it isnt effective against threat
vectors where initial infection occurs in extended enterprise beyond perimeter security
controls (watering hole attacks/SWC).
Malware analysis solution is unable to observe lateral movement where malicious code
isnt involved.
For many vendors, malware analysis visibility is limited to web, email, and SMB
protocols.
Organizations with operational security (OPSEC) concerns should consider
on-premises or private cloud deployments. The analysis of malware that results in
subsequent blocking could alert attackers.
Key evaluation Deployment options: on-premises, cloud, hybrid.
criteria
On-premises deployment options: passive, passive blocking, inline blocking.
What malware analysis techniques are used (static, dynamic, emulation, network
behavior)?
What types of content is inspected (executables, DLLs, archives, images, PDFs, Flash,
office documents, JavaScript)?
What anti-evasion techniques are used to ensure malware executes in the analysis
environment?
What endpoint integrations exist? Integration with endpoint controls provides endpoint
context. Was the endpoint already patched for the vulnerability being exploited?
Endpoints can also perform containment/remediation.
Ability to perform dynamic analysis on customized virtual machine images.
Ability to consume and export third-party threat intelligence (IODEF, OpenIOC,
STIX/CybOX).
Virtual machine operating system support (Windows, OSX).
What NAV capabilities exist? Some of the vendor solutions not only offer automated
malware analysis, but also offer NAV capabilities.
Visibility into encrypted traffic.
Android APK analysis.
116182
Figure 3 Automated Malware Analysis Considerations, Key Evaluation Criteria, And Solutions (Cont.)
Solutions:
Commercial Bluecoat Norman Sandbox, Cyphort, Fidelis XPS Advanced Threat Defense, FireEye
Threat Prevention Platform, Light Cyber, Palo Alto Networks WildFire, Lastline,
Seculert, ThreatGrid, Trend Micro Deep Discovery
Open source Anubis, Cuckoo Sandbox, Minibis, Wepawet
116182
116182
10
11
Figure 5 Endpoint Visibility And Control Considerations, Key Evaluation Criteria, And Solutions
Endpoint analysis and control
Considerations The extended enterprise makes endpoint security a necessity. Organizations have no
visibility when endpoints are beyond the perimeter. For example, an endpoint
perspective is needed to detect strategic web compromise/water hole attacks when
the host is remote.
Endpoint perspective is necessary to determine the impact of malware. Did it actually
execute? Was the host already patched against the exploit?
Endpoint control provides the ability to perform surgical containment of malicious
processes.
Endpoint solutions must demonstrate that they can deploy at scale in an operationally
effective manner.
BYOC makes deployment challenging if not impossible.
Need to overcome yet-another-agent syndrome. The addition of a new endpoint agent
can impact the resources available on a host already having multiple endpoint agents.
If the endpoint is already compromised, you cannot trust what it is reporting back.
EVC must be deployed to a host in a known good state.
Key evaluation Does the solution operate in user space or kernel space?
criteria
What impact does EVC agent have on the host operating system (memory, CPU, disk)?
Does the solution provide visibility and monitoring only? What about containment?
What operating systems are supported (Windows, OSX)?
How is asset/individual risk used for triage (high-value targets like domain controllers,
C-suite staff)?
What workflow is used for enabling automated response (crawl, walk, run)?
How does solution ingest threat intelligence? How can you hunt/search for threat
indicators?
What threat intelligence standards are supported (OpenIOC, STIX/TAXII/CybOX)?
What visualization capabilities exist to enhance analysis?
What lateral movement detections exist? How does the solution detect privilege
escalation or the use of legitimate Windows tools for malicious purposes?
What incident response/forensic analysis workflows exist?
What network security/NAV integrations exist?
What integrations exist for automated response (Active Directory integrations for
account lockout, switch port integrations for disabling endpoint network access)?
Solutions:
Commercial Bit9, Carbon Black, Confer, CounterTack Sentinel, CrowdStrike Falcon Host,
Cybereason, FireEye HX, Guidance Software Cyber Security, Hexis HawkEye G,
Tanium, Triumfant, Verdasys Digital Guardian
Open source Immunity El Jefe, OSSEC
116182
12
Vendors are developing new security analytics (SA) solutions . . . The convergence of the
correlating and reporting functions of SIM/SIEM, together with information feeds from data
leak protection solutions, NAV solutions, identity and access management solutions, and even
fraud solutions, will give S&R pros the kind of context and situational awareness they need for
action. The challenge is that out-of-the-box SA solutions dont exist just yet. Vendors of legacy
SIM/SEIM solutions are expanding the collection and analysis of new types of business and
IT data to improve their ability to offer information in context, but many organizations are
developing homegrown solutions using big data solutions like Hadoop. Still other vendors are
hoping to disrupt the market with deep insights into particular domains like the endpoint. Both
Guidance Software and CrowdStrike have analytics capabilities on the endpoint.18
. . . that can also automate remediation. Not only must SA provide you with actionable data,
it must have integrations and automation to help you take action. SA should help us avoid
obstacles, and see the road ahead. Proofpoints recent acquisition of incident response and
orchestration specialist NetCitadel is evidence that demand for SA solutions with automated
response is heating up.19 Automation is just one criterion to consider when evaluating SA
solutions (see Figure 6).
13
14
Figure 6 Security Analytics Considerations, Key Evaluation Criteria, And Solutions (Cont.)
Security analytics
Key evaluation What visualization capabilities exist to enhance analysis (similar to the user experience
criteria of Paterva Maltego or Tableau Software)? Does graph analysis exist?
What pivoting capabilities exist? Can analyst pivot and drill down into new data while
preserving previous searches/queries?
Does the SA reporting include templates for time-to-detection?
What integrations facilitate action? What detective and preventive security control
integrations exist? What APIs exist for custom integrations?
Solutions:
Commercial Alert Logic, BAE Applied Intelligence Cyber Reveal, Cloudera, FireEye Threat Analytics
Platform, IBM i2 Analysts Notebook, Palantir, Splunk, Sumo Logic, traditional SIM/SIEM
like LogRhythm, IBM Qradar, McAfee, HP ArcSight
Open source Apache Hadoop, OSSIM
116182
Do we benefit from prioritizing network or endpoint controls first? Although NAV solutions
can provide visibility into key networks, network security controls such as these arent sufficient.
You also need visibility into the endpoint. There are benefits and limitations to each, and while
you need both perspectives, you may not have the budget and the staff to do both, so youll have
to prioritize (see Figure 7). For most organizations, network controls provide quick wins that
greatly improve visibility.
Do we have sufficient protections on the endpoint? You can leverage network controls to gain
quick wins, but that doesnt mean you must delay implementing new endpoint controls based
on use cases. Forrester recommends starting off by deploying preventive-based controls to
high-value targets like domain controllers and other critical assets. Next apply EVC to laptops
that move in and out of your environment. A company like Bit9 can cover each use case with
its traditional preventive whitelisting offering combined with the visibility of its Carbon Black
acquisition.20 You can consider companywide EVC deployments to give you maximum visibility,
but the expense and operational costs of this is probably not the best use of your limited
resources, unless you already have capabilities in the other pillars.
15
How do we best plot the transitioning from SIM/SIEM to SA? The migration from SIM/SEIM
to SA is going to take time. SA is in its infancy; there are no turnkey solutions out there. To build
a solid foundation for your SA migration, focus on staff. You must have data analytics capabilities.
It would also be helpful to start your analytics projects on structured data first. Rushing to do
analytics on unstructured data without first having effective people, process, and technology will
be challenging. As we stated above, analytics capabilities are also developing within individual
security controls, so take advantage of this. Work with your current vendors and find out how
theyre building upon their analytic capabilities and then take advantage of them.
How much are we to spend on malware analysis? Malware analysis plays a role in the detection
of attacks, but against sophisticated adversaries, it has diminishing returns. So how should you
prioritize your investment? Depending on your threat model, deploying NAV capabilities at
Internet ingress/egress first could offer better returns on your security investment. Malware
analysis that is embedded as a feature in a broader offering allows you to acquire multiple pillars
at once, potentially saving money for investment in another pillar.
Network approach
116182
2014, Forrester Research, Inc. Reproduction Prohibited
16
W h at i t m e a n s
Supplemental Material
Methodology
Forresters Forrsights Security Survey, Q2 2013, was fielded to 2,134 IT executives and technology
decision-makers located in Canada, France, Germany, the UK, and the US from SMB and enterprise
companies with two or more employees. This survey is part of Forresters Forrsights for Business
Technology and was fielded from March 2013 to June 2013. ResearchNow fielded this survey online
on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates.
We have provided exact sample sizes in this report on a question-by-question basis.
Forresters Business Technographics provides demand-side insight into the priorities, investments,
and customer journeys of business and technology decision-makers and the workforce across the
globe. Forrester collects data insights from qualified respondents in 10 countries spanning the
Americas, Europe, and Asia. Business Technographics uses only superior data sources and advanced
data-cleaning techniques to ensure the highest data quality.
Endnotes
Source: Business Dictionary.com (http://www.businessdictionary.com/definition/Pareto-principle.html).
The Pareto principle states that for many events, roughly 80% of the effects come from 20% of the causes.
We have covered alternatives to antivirus in-depth in a previous report. See the June 9, 2014, Prepare For
The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus report.
We have covered the acquisition of Cyvera in-depth in a previous report. See the March 25, 2014, Quick
Take: Palo Alto Networks Acquires Cyvera report.
Source: Exploit switches off Microsoft EMETs protection features, Help Net Security (http://www.netsecurity.org/secworld.php?id=17080).
17
For further explanation of this concept, please read the recent Offensive Security article post, Disarming
Enhanced Mitigation Experience Toolkit (EMET). Source: Offensive Security (http://www.offensivesecurity.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)
This is one of the primary reasons that many intrusion prevention systems (IPS) are deployed as intrusion
detection system (IDS.) No one wants to block valid applications from being used.
Security leaders must realize that human factors contribute to the success of a security control as much
as the risk reduction of the security control itself. Security leaders who choose to ignore human factors
run the risk of user security mistakes and even a full security breach. There are three human factors that
contribute to the success of a security control and six human factors that act as resistors to effectiveness.
For more information, see the May 28, 2014, Raise The Security Bar With Human-Factor-Friendly Design
Concepts report.
Source: Kyle Russell, A16z Invests $90 Million In Tanium, An Enterprise Systems Management Startup,
TechCrunch, June 22, 2014 (http://techcrunch.com/2014/06/22/a16z-invests-90-million-in-tanium-anenterprise-systems-management-startup/).
Habit No. 1: Are self-aware; Habit No. 2: Understand technology benefits and limitations; Habit No. 3:
Establish realistic reporting and metrics; Habit No. 4: Are scalable; Habit No. 5: Collaborate internally and
externally; Habit No. 6: Actively engage executives; and Habit No. 7: Operate with autonomy. See the April
17, 2013, Seven Habits Of Highly Effective Incident Response Teams report.
We have previously covered the role of threat intelligence in-depth in a previous report. See the January 15,
2013, Five Steps To Build An Effective Threat Intelligence Capability report.
For more information on how to act on this actionable intelligence, please see the January 15, 2013, Five
Steps To Build An Effective Threat Intelligence Capability report.
10
Source: Sai Omkar Vashisht and Abhishek Singh, Turing Test In Reverse: New Sandbox-Evasion
Techniques Seek Human Interaction, FireEye Blog, June 24, 2014 (http://www.fireeye.com/blog/technical/
malware-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-humaninteraction.html).
11
We have covered the key components of a Zero Trust network in-depth in a previous report. See the
November 15, 2012, Build Security Into Your Networks DNA: The Zero Trust Network Architecture
report.
12
We have covered NAV tools in-depth in a previous report. See the January 24, 2011, Pull Your Head Out
Of The Sand And Put It On A Swivel: Introducing Network Analysis And Visibility report.
13
We have covered the convergence of some NAV and SIM/SIEM in a previous report. See the August 9, 2012,
Dissect Data To Gain Actionable INTEL report.
14
We have covered the characteristics of several EVC solutions in-depth in a previous report. See the June 9,
2014, Prepare For The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus report.
15
Source: Brian Krebs, Security Firm Bit9 Hacked, Used To Spread Malware, Krebs on Security, February 8,
2013 (http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/).
16
18
Dissect Data To Gain Actionable INTEL: The real value of SIM, and its survival, depends on big data
analytics for situational awareness. Known as security analytics (SA), it involves looking beyond network
security data to include the collection and analysis of new types of IT data that will transform SIM into
an SA tool that provides both security and IT analytics. For S&R professionals, context is key to security
analytics. This will help identify events that are happening now but also assess the state of security within
the enterprise in order to predict what may occur in the future and make proactive security decisions. See
the August 9, 2012, Dissect Data To Gain Actionable INTEL report.
17
Source: CrowdStrike Releases Endpoint Activity Monitoring Application, CrowdStrike press release,
February 20, 2014 (http://www.crowdstrike.com/news/crowdstrike-releases-endpoint-activity-monitoringapplication/index.html).
18
We have covered the acquisition of NetCitadel in-depth in a previous report. See the June 19, 2014, Brief:
Proofpoint Strengthens Its Targeted Attack Defense With NetCitadel Acquisition report.
19
We have covered the merge of Bit9 and Carbon Black in-depth in a previous report. See the February 14,
2014, Quick Take: Bit9 And Carbon Black Merge report.
20
The fourth tier in the targeted-attack hierarchy of needs: An integrated portfolio that enables orchestration.
21
About Forrester
A global research and advisory firm, Forrester inspires leaders,
informs better decisions, and helps the worlds top companies turn
the complexity of change into business advantage. Our researchbased insight and objective advice enable IT professionals to
lead more successfully within IT and extend their impact beyond
the traditional IT organization. Tailored to your individual role, our
resources allow you to focus on important business issues
margin, speed, growth first, technology second.
for more information
To find out how Forrester Research can help you be successful every day, please
contact the office nearest you, or visit us at www.forrester.com. For a complete list
of worldwide locations, visit www.forrester.com/about.
Client support
For information on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer
quantity discounts and special pricing for academic and nonprofit institutions.
Forrester Focuses On
Security & Risk Professionals
To help your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk while
optimizing security processes and technologies for future flexibility.
Forresters subject-matter expertise and deep understanding of your
role will help you create forward-thinking strategies; weigh opportunity
against risk; justify decisions; and optimize your individual, team, and
corporate performance.
Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client
segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act
upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and
online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology
industry through independent fact-based insight, ensuring their business success today and tomorrow.
116182