Forrester Targeted-Attack Hierarchy

For: Security &
Risk Professionals
Targeted-Attack Hierarchy Of Needs,

Part 2
by Rick Holland, July 24, 2014 | Updated: July 25, 2014
Key Takeaways
Prevention Isnt Dead
There are innovative prevention technologies, but for these controls to be relevant, they
must demonstrate operational effectiveness and scalability. Solutions that are appealing
on datasheets must also work for modern enterprise. If done well, prevention can relieve
some of the daily operational burden and stress on S&R professionals.
No Single Technology Will Meet Your Breach Detection Needs
Investing in malware sandboxes alone isnt sufficient to defend the modern enterprise.
Youre going to need a combination of malware analysis, network analysis and visibility,
endpoint visibility and control, and security analytics.
Invest In Vendors That Provide Multiple Pillars
Prioritize the vendors who can supply you with multiple technology pillars. Make sure
that these vendors also offer a common user experience, and as many integrations
between their technologies as possible. Vendors that can enable the orchestration of
your defense should be at the top of your list.
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com
July 24, 2014

Updated: July 25, 2014
For Security & Risk Professionals
Targeted-Attack Hierarchy Of Needs, Part 2

Multiple Technologies Are Required For Breach Detection
by Rick Holland
with Stephanie Balaouras, Katherine Williamson, and Andrew Hewitt
Why Read This Report

In part 1 of our research series, we detailed the foundational requirements for building the necessary
resiliency to targeted cyberattacks. With the foundational requirements in place, security and risk (S&R)
leaders are ready to turn their focus to the technologies for prevention as well as detection and response.
S&R leaders frequently struggle with deploying the right mix of technologies to detect and respond
to attacks. In this report, we discuss the four technologies that should form the pillars of your breach
detection capabilities: malware analysis, network analysis and visibility, endpoint visibility and control,
and security analytics. For each technology, we provide you with key evaluation criteria, considerations,
and both commercial and open source solutions to help you select the right solution. These technologies,
in the hands of skilled staff, are essential for building resiliency into your cybersecurity program.
Table Of Contents
Notes & Resources
2 Forresters Targeted-Attack Hierarchy Of

Needs Continues
Forrester used a combination of primary

and secondary research in the writing of this
report.
Need No. 5: Prevention

Need No. 6: Detection And Response
4 You Must Build Each Tech Pillar Of The
Breach Detection Stack
Pillar No. 1: Malware Analysis
Pillar No. 2: Network Analysis And Visibility
Pillar No. 3: Endpoint Visibility And Control
Pillar No. 4: Security Analytics
14 Balance The Pillars Based On Your Needs
Related Research Documents

Prepare For The Post-AV Era Part 1: Five
Alternatives To Endpoint Antivirus
June 9, 2014
Introducing Forresters Targeted-Attack
Hierarchy Of Needs, Part 1 Of 2
May 15, 2014
Five Steps To Build An Effective Threat
Intelligence Capability
January 15, 2013
WHAT IT MEANS
16 Detection And Response Require An

Integrated Technology Stack
16 Supplemental Material
2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.
Forresters Targeted-Attack Hierarchy Of Needs Continues

Its imperative that S&R leaders have a thoughtful and deliberate plan to fend off targeted
cyberattacks. In part 1 of our research series, we focused on the fundamental requirements that
S&R leaders must build into their security strategy: need no. 1: an actual security strategy; need
no. 2: a dedication to recruiting and retaining staff; need no. 3: a focus on the fundamentals; and
need no. 4: an integrated portfolio that enables orchestration (see Figure 1). Without fulfilling
these fundamental needs, security organizations will struggle with even pedestrian adversaries and
certainly fail against more skilled adversaries. In this part 2 of our series, we discuss need no. 5:
prevention, as well as the technologies associated with need no. 6: detection and response.
Figure 1 The Targeted-Attack Hierarchy Of Needs
Detection
and
response
Prevention
An integrated portfolio that

enables orchestration
A focus on the fundamentals
A dedication to recruiting and retaining staff
An actual security strategy
116182
Source: Forrester Research, Inc.
Need No. 5: Prevention

Prevention is dead, long live prevention. One of the recent trends in information security is to claim
that prevention is dead. You should be particularly suspicious of vendors that only deal in detection
that make this claim. Investment will shift to detection, but prevention isnt going away, and the
reports of its death have been greatly exaggerated. When thinking about prevention, remember:
2014, Forrester Research, Inc. Reproduction Prohibited
July 24, 2014 | Updated: July 25, 2014
The Pareto principle applies. Not all attacks are targeted, and not all targeted attacks are from
state actors or other sophisticated cyberadversaries. If you can use prevention to eliminate 80%
of the attacks against your organization, you can focus your limited resources on detecting and
responding to the attackers that have the motivation and capability to do the greatest harm. You
dont want to be focusing on nuisance threats while skilled attackers are exfiltrating your most
precious data.1 At a minimum, prevention eliminates noise.
Prevention can be innovative. Prevention can do more than just eliminate noise. Dont think of
prevention as just antivirus (AV) blacklisting and IDS/IPS signatures; prevention can be much
more than that. During the past 18 months, we have seen the emergence of innovative solutions
at the endpoint, including: Bromium, Invincea, and IBM Trusteer.2 RSA Conference Innovation
Sandbox finalist, Cylance, as well as Cyvera (recently acquired by Palo Alto Networks) are
other examples of innovative endpoint security controls.3 The Microsoft Enhanced Mitigation
Experience Toolkit also provides this type of capability. Its important to note that even solutions
that are designed to prevent zero day attacks can be circumvented. In early July, researchers
from Offensive Security were able to disable all of EMETs protection.4 If you can prevent
something malicious from occurring in the first place, there is no need for response.
Prevention must not negatively affect the user experience. You can have the most effective
security control, but if it is so intrusive that employees cant work, it wont be in production for
very long.5 This applies to endpoint security as well; the poor user experience from training host
intrusion prevention system (HIPS) is a prime example. These new endpoint solutions must
demonstrate that they can be effective and transparent to users.6 Many organizations, concerned
about blocking legitimate actions, have adopted a lighter touch on the endpoint via endpoint
visibility and control (EVC) solutions.
Prevention must demonstrate operational effectiveness and scalability. The user experience
isnt the only perspective that S&R pros need to consider; the administrators experience
operationalizing the solution is also important. Dashboards and an intuitive user interface
enhance operational effectiveness. Scalability is another important consideration: Deploying a
solution to 100 endpoints is one thing, deploying a solution to 100,000 endpoints is an entirely
different matter. Tanium, a solution with endpoint visibility capabilities, just received $90
million in funding in part because of its ability to deploy at scale for very large enterprises.7
Prevention will always be a part of response. At a certain stage in detection, you will move to
response. Blocking adversary command and control is one example of prevention. Prevention
also occurs in the containment phase of response. From a network perspective, you might use
network access control to kill the switch port connected to the infected host. You might use
endpoint visibility and control to surgically kill a malicious process. You could also integrate
with Active Directory to prevent a compromised account from accessing the network. The real
questions regarding prevention are how will you integrate it into your portfolio and how can
you use it as a force multiplier for your protection.
Need No. 6: Detection And Response

Although prevention isnt dead, it can fail. Do you think a sophisticated adversary like the NSA or
any other nation-state actor is going to cease targeting you once they discover you have the latest
and greatest preventive controls? Absolutely not: A determined and well-resourced adversary
will find a way to render these controls ineffective. Given the immaturity of most organizations,
attackers dont even have to be that clever to accomplish their goals. Hope for prevention; plan
on detection and response. When prevention fails, detection and response are your only options.
Having capable incident response is critical. Forrester identified seven habits that effective incident
response teams must possess.8 IR programs that adopt these principles will be better prepared to
adapt to the threat landscape and will be able to recover from security incidents more effectively.
From a technology perspective, there are four primary functions, or pillars, that are necessary
for breach detection: 1) malware analysis; 2) network analysis and visibility (NAV); 3) endpoint
visibility and control (EVC); and 4) security analytics (SA).
Threat intelligence will play an important role in detection and response.9 Vendors have bandied about
and overused the term actionable threat intelligence so much that it has become a buzzword without
meaning. This is unfortunate because its possible to turn multiple sources of intelligence into action,
but it requires dedicated staff committed to following a continuous cycle of collecting, analyzing, and
then disseminating intelligence. Forrester defines actionable intelligence as being accurate, aligned
with intelligence requirements, integrated, predictive, relevant, tailored, and timely.10 You should
leverage actionable threat intelligence within your technology stack to help you: 1) identify potential
threats on the horizon targeting your industry or specific organization; 2) prioritize the remediation of
vulnerabilities and architectural adjustments in your environment; and 3) help to identify the attacks
that are already in progress. Its indispensable to both prevention and breach detection and response.
You Must Build Each Tech Pillar Of The Breach Detection Stack
There is no single technology that will detect the intrusions and breaches within your organization;
you need solutions that will help you build all four pillars of your breach detection stack (see Figure
2). You need to instrument your entire security organization for breach detection. This includes the
people, process, and oversight required to make technology deployments successful.
Figure 2 Technology Pillars Of Breach Detection

Pillars of detection
Network analysis and

visibility
Malware analysis
Threat
intelligence
Endpoint visibility
and control
116182
Security analytics
Pillar No. 1: Malware Analysis

FireEye leveraged automated malware analysis to address threats that the traditional security
vendors were failing to stop. FireEye took automated malware analysis mainstream; today, almost
all security vendors have some sort of automated malware analysis capability. Malware analysis is
frequently an organizations first foray into attempting to address the threat landscape. Generally
speaking, malware analysis consists of dynamic and static analysis:
Dynamic analysis executes and observes malware. Virtual sandboxes are a popular method
for performing dynamic analysis. Advanced dynamic analysis introduces a debugger to observe
the internal state of an executable. These automated malware analysis solutions inspect code and
make a determination as to whether it is malicious in nature.
Dynamic malware analysis can be effective at detecting malicious code; however, adversaries
are well aware of this technology within their targets. This has led to a constant cat-and-mouse
game in which adversaries try to evade analysis and vendors try to enhance their solutions with
anti-evasion techniques. FireEye has written several blog postings illustrating the evolution
of sandbox evasion. Most recently, they wrote about evasion techniques that require human
interaction.11 Anti-evasion techniques are just some of the criteria that you need to consider
when evaluating automated malware analysis capabilities (see Figure 3).
Static analysis analyzes the code or structure of malware to understand how it functions.
Unlike dynamic analysis, static analysis does not run the malware itself at the time of analysis.
Malware authors make static analysis more difficult by obfuscating the execution of malware
and by using packers to compress executables. More advanced static analysis involves reverse
engineering the malware. Malware analysis solutions often include some very light static
analysis to help detect malcode that might not execute in a virtual environment.
Figure 3 Automated Malware Analysis Considerations, Key Evaluation Criteria, And Solutions
Automated malware analysis
Considerations A combination of dynamic and static analysis can detect malware that traditional
signature-based controls miss.
Sophisticated adversaries will circumvent dynamic malware analysis. Evasion detection
is important.
Many organizations are overwhelmed by malware alerts. Alert-driven security is a
reality.
Scalability is a challenge for on-premises malware analysis deployments when an
organization is distributed with many ingress/egress points.
Malware analysis solution must observe malicious code; it isnt effective against threat
vectors where initial infection occurs in extended enterprise beyond perimeter security
controls (watering hole attacks/SWC).
Malware analysis solution is unable to observe lateral movement where malicious code
isnt involved.
For many vendors, malware analysis visibility is limited to web, email, and SMB
protocols.
Organizations with operational security (OPSEC) concerns should consider
on-premises or private cloud deployments. The analysis of malware that results in
subsequent blocking could alert attackers.
Key evaluation Deployment options: on-premises, cloud, hybrid.
criteria
On-premises deployment options: passive, passive blocking, inline blocking.
What malware analysis techniques are used (static, dynamic, emulation, network
behavior)?
What types of content is inspected (executables, DLLs, archives, images, PDFs, Flash,
office documents, JavaScript)?
What anti-evasion techniques are used to ensure malware executes in the analysis
environment?
What endpoint integrations exist? Integration with endpoint controls provides endpoint
context. Was the endpoint already patched for the vulnerability being exploited?
Endpoints can also perform containment/remediation.
Ability to perform dynamic analysis on customized virtual machine images.
Ability to consume and export third-party threat intelligence (IODEF, OpenIOC,
STIX/CybOX).
Virtual machine operating system support (Windows, OSX).
What NAV capabilities exist? Some of the vendor solutions not only offer automated
malware analysis, but also offer NAV capabilities.
Visibility into encrypted traffic.
Android APK analysis.
116182
Figure 3 Automated Malware Analysis Considerations, Key Evaluation Criteria, And Solutions (Cont.)
Solutions:
Commercial Bluecoat Norman Sandbox, Cyphort, Fidelis XPS Advanced Threat Defense, FireEye
Threat Prevention Platform, Light Cyber, Palo Alto Networks WildFire, Lastline,
Seculert, ThreatGrid, Trend Micro Deep Discovery
Open source Anubis, Cuckoo Sandbox, Minibis, Wepawet
116182
Pillar No. 2: Network Analysis And Visibility

One of the key components of a Zero Trust network is network analysis and visibility (NAV).12 NAV
is a diverse set of tools designed to provide network-based situational awareness to S&R pros. NAV
tools perform many functions including: malicious behavior detection, network discovery, flow
analysis, meta-packet capture, full packet capture, and network forensics.13
The convergence of some NAV and security information management/security information and event
management (SIM/SIEM) capabilities is under way.14 LogRhythm is one of many SIM/SIEM solutions
that can consume a number of flow formats. RSA has combined the network forensics capabilities of
NetWitness with the SIM capabilities of enVision into its RSA Security Analytics solution. SIM/SIEM
integration is just one of the criteria when considering NAV solutions (see Figure 4).
Figure 4 NAV Considerations, Key Evaluation Criteria, And Solutions

Network analysis and visibility
Considerations Layer 7 visibility at the Internet perimeter(s) should be one of your first priorities. Similar
visibility at data center ingress/egress should follow.
Packet capture at the Internet perimeter(s) is ideal. Similar capability at data center
ingress/egress should follow. Packet capture fidelity is important; you cannot afford to
drop or miss packets.
Flow data is probably already being used by infrastructure and operations (I&O);
leverage it for security purposes. Flow data can be used for detection of attacker lateral
movement; it is more scalable than packet capture for this use case.
NGFW/segmentation gateways provide NAV capabilities (detection of port hopping,
SSH/SSL use, and use of nonstandard port).
The more segmented the network, the more challenging NAV implementations become.
Instrumenting enterprise networks for NAV takes time.
Do you trust the endpoint? NAV can validate what data the endpoint is reporting
(situations where endpoint is compromised with a rootkit).
NAV lacks the rich host context that endpoint analysis and control solutions provide.
Key evaluation What are the deployment options (i.e., physical/virtual, distributed)?
criteria
How much throughput can capturing devices handle (1Gbps, 10Gps, 40Gbps)?
What are the storage capabilities of the solution (direct attached capacity/storage
area network capabilities)?
How is indexing performed (metadata creation, PCAP association)?
What incident response/forensic analysis workflows exist?
How is searching performed? How long do searches take?
What visualization capabilities exist to enhance analysis?
How does solution ingest threat intelligence? Ability to consume and export third-party
threat intelligence (IODEF, OpenIOC, STIX/CybOX). How can you hunt/search for threat
indicators?
What encrypted traffic inspection capabilities exist?
What applications are classified?
What behavioral analysis capabilities exist (malware command and control, data
exfiltration)?
What endpoint integrations exist?
How is asset/individual risk used for triage (high-value targets like domain controllers,
C-suite staff)?
116182
10
Figure 4 NAV Considerations, Key Evaluation Criteria, And Solutions (Cont.)

Solutions:
Commercial Arbor Networks Pravail Security Analytics, Blue Coat Security Analytics (Solera
Networks), Damballa Failsafe, FireEye nPulse, Lancope StealthWatch, LightCyber
Detect, Novetta Cyber Analytics, RSA Security Analytics (Netwitness/enVision)
Open source Argus, Bro, Security Onion, Snorby, Snort OpenAppID, System for Internet-Level
Knowledge (SiLK)
116182
Pillar No. 3: Endpoint Visibility And Control

Endpoint visibility and control (EVC) seeks to provide detailed visibility into activity occurring on the
endpoint. EVC solutions can provide details on endpoint process executions, application/file/registry
modifications, network activity, active memory, as well as kernel-driver activity. Some EVC solutions
provide visibility only, while others also provide the ability to contain malicious endpoint behavior.15
There are endpoint offerings like Palo Alto Networks Next-Generation Endpoint Protection,
intended to prevent malicious activity from occurring in the first place. This is ideal, but working
under the assumption that determined adversaries will find a way to circumvent your controls,
visibility is also important. In 2012, Bit9 was targeted so that the adversary could breach a Bit9
customer. The attackers couldnt circumvent Bit9s whitelisting protection directly, so they
compromised Bit9 to digitally signing their malware to make it appear to be legitimate software.16 A
deeper level of visibility on the hosts running this signed malware could have provided the company
with valuable insight that might have accelerated the detection of malicious activity. Deep visibility
is just one evaluation criteria to use when considering EVC solutions (see Figure 5).
11
Figure 5 Endpoint Visibility And Control Considerations, Key Evaluation Criteria, And Solutions
Endpoint analysis and control
Considerations The extended enterprise makes endpoint security a necessity. Organizations have no
visibility when endpoints are beyond the perimeter. For example, an endpoint
perspective is needed to detect strategic web compromise/water hole attacks when
the host is remote.
Endpoint perspective is necessary to determine the impact of malware. Did it actually
execute? Was the host already patched against the exploit?
Endpoint control provides the ability to perform surgical containment of malicious
processes.
Endpoint solutions must demonstrate that they can deploy at scale in an operationally
effective manner.
BYOC makes deployment challenging if not impossible.
Need to overcome yet-another-agent syndrome. The addition of a new endpoint agent
can impact the resources available on a host already having multiple endpoint agents.
If the endpoint is already compromised, you cannot trust what it is reporting back.
EVC must be deployed to a host in a known good state.
Key evaluation Does the solution operate in user space or kernel space?
criteria
What impact does EVC agent have on the host operating system (memory, CPU, disk)?
Does the solution provide visibility and monitoring only? What about containment?
What operating systems are supported (Windows, OSX)?
How is asset/individual risk used for triage (high-value targets like domain controllers,
C-suite staff)?
What workflow is used for enabling automated response (crawl, walk, run)?
How does solution ingest threat intelligence? How can you hunt/search for threat
indicators?
What threat intelligence standards are supported (OpenIOC, STIX/TAXII/CybOX)?
What visualization capabilities exist to enhance analysis?
What lateral movement detections exist? How does the solution detect privilege
escalation or the use of legitimate Windows tools for malicious purposes?
What incident response/forensic analysis workflows exist?
What network security/NAV integrations exist?
What integrations exist for automated response (Active Directory integrations for
account lockout, switch port integrations for disabling endpoint network access)?
Solutions:
Commercial Bit9, Carbon Black, Confer, CounterTack Sentinel, CrowdStrike Falcon Host,
Cybereason, FireEye HX, Guidance Software Cyber Security, Hexis HawkEye G,
Tanium, Triumfant, Verdasys Digital Guardian
Open source Immunity El Jefe, OSSEC
116182
12
Pillar No. 4: Security Analytics

Few will argue that the traditional approach to SIM/SIEM is effective. Many claim to have
intelligence-led security but actually have alert-driven security. To be at all useful, SIM/SIEM
solutions require skilled analysts to operate and maintain them the kind of staff few organizations
have. In addition, clients regularly complain that the lack of any kind of meaningful context around
alerts makes triage even more difficult.17 As a result:
Vendors are developing new security analytics (SA) solutions . . . The convergence of the
correlating and reporting functions of SIM/SIEM, together with information feeds from data
leak protection solutions, NAV solutions, identity and access management solutions, and even
fraud solutions, will give S&R pros the kind of context and situational awareness they need for
action. The challenge is that out-of-the-box SA solutions dont exist just yet. Vendors of legacy
SIM/SEIM solutions are expanding the collection and analysis of new types of business and
IT data to improve their ability to offer information in context, but many organizations are
developing homegrown solutions using big data solutions like Hadoop. Still other vendors are
hoping to disrupt the market with deep insights into particular domains like the endpoint. Both
Guidance Software and CrowdStrike have analytics capabilities on the endpoint.18
. . . that can also automate remediation. Not only must SA provide you with actionable data,
it must have integrations and automation to help you take action. SA should help us avoid
obstacles, and see the road ahead. Proofpoints recent acquisition of incident response and
orchestration specialist NetCitadel is evidence that demand for SA solutions with automated
response is heating up.19 Automation is just one criterion to consider when evaluating SA
solutions (see Figure 6).
13
Figure 6 Security Analytics Considerations, Key Evaluation Criteria, And Solutions

Security analytics
Considerations The SA vendors that can offer a platform that enables the orchestration of detection
and response through integrations and automation will be an organizations most
valuable partner.
Early adopters of the big data solutions like Hadoop have had to develop their own
security analytics capabilities, but this is starting to change as vendors bring
prepackaged analytics online. There are still no turnkey offerings.
Technology is core to SA, but just as with SIM/SIEM, people and process ultimately
determine success. Like anything else, dont think of SA as a silver bullet.
How much effort is required for you to implement and operationalize SA? If you dont
have the resources, not unlike SIM/SIEM, MSSPs may be a more practical alternative
for SA.
As SA platforms consume more and more data to provide richer context, you must
make securing this data a priority. All your eggs are in one basket; you are
concentrating your liability and you must protect the data.
Infrastructure is moving to the cloud; if you thought doing SA on-premises was
challenging, the cloud will only complicate this more. Companies like Threat Stack and
Alert Logic provide analytics into elastic infrastructure.
The disillusionment with SIM/SIEM has led to the emergence of SA capabilities within
individual security controls. Crowdstrike released Endpoint Activity Monitoring, which
embeds Splunk software as a machine data platform for the search, alerting, reporting,
and analytics capabilities.
Key evaluation What type of data can the SA solution consume (structured data, unstructured data,
criteria application data, log data, flow data, meta packet capture, full packet capture, event
data, vulnerability data, identity data, third-party intelligence, data from elastic
infrastructure)?
How does the solution ingest threat intelligence (JSON, CSV, XML)? What threat
intelligence standards are supported (IODEF, OpenIOC, STIX/TAXII/CybOX)?
What analytic capabilities does the SA solution possess (statistical modeling,
predictive analytics, behavioral modeling)?
What internal context is used to prioritize alerting? How are asset value, vulnerabilities
present, attack path modeling, and identity incorporated into alert triage?
What external context is used to prioritize alerting? How are threat intelligence and
real-world exploitation of vulnerabilities incorporated into alert triage?
What incident response/forensic analysis workflows exist? How can you hunt/search
for threat indicators?
What lateral movement detections exist? How does the solution detect privilege
escalation or the use of legitimate Windows tools for malicious purposes?
What analyst enrichments exist in the solution (GeoIP, passive DNS, asset value,
Whois lookups)?
116182
14
Figure 6 Security Analytics Considerations, Key Evaluation Criteria, And Solutions (Cont.)
Security analytics
Key evaluation What visualization capabilities exist to enhance analysis (similar to the user experience
criteria of Paterva Maltego or Tableau Software)? Does graph analysis exist?
What pivoting capabilities exist? Can analyst pivot and drill down into new data while
preserving previous searches/queries?
Does the SA reporting include templates for time-to-detection?
What integrations facilitate action? What detective and preventive security control
integrations exist? What APIs exist for custom integrations?
Solutions:
Commercial Alert Logic, BAE Applied Intelligence Cyber Reveal, Cloudera, FireEye Threat Analytics
Platform, IBM i2 Analysts Notebook, Palantir, Splunk, Sumo Logic, traditional SIM/SIEM
like LogRhythm, IBM Qradar, McAfee, HP ArcSight
Open source Apache Hadoop, OSSIM
116182
Balance The Pillars Based On Your Needs

One of the most common questions clients ask Forrester is Where do we start? Chances are you
dont have very many of the necessary technology components of each pillar deployed in your
environment. To help you decide how to start, ask and answer the following questions:
Do we benefit from prioritizing network or endpoint controls first? Although NAV solutions
can provide visibility into key networks, network security controls such as these arent sufficient.
You also need visibility into the endpoint. There are benefits and limitations to each, and while
you need both perspectives, you may not have the budget and the staff to do both, so youll have
to prioritize (see Figure 7). For most organizations, network controls provide quick wins that
greatly improve visibility.
Do we have sufficient protections on the endpoint? You can leverage network controls to gain
quick wins, but that doesnt mean you must delay implementing new endpoint controls based
on use cases. Forrester recommends starting off by deploying preventive-based controls to
high-value targets like domain controllers and other critical assets. Next apply EVC to laptops
that move in and out of your environment. A company like Bit9 can cover each use case with
its traditional preventive whitelisting offering combined with the visibility of its Carbon Black
acquisition.20 You can consider companywide EVC deployments to give you maximum visibility,
but the expense and operational costs of this is probably not the best use of your limited
resources, unless you already have capabilities in the other pillars.
15
How do we best plot the transitioning from SIM/SIEM to SA? The migration from SIM/SEIM
to SA is going to take time. SA is in its infancy; there are no turnkey solutions out there. To build
a solid foundation for your SA migration, focus on staff. You must have data analytics capabilities.
It would also be helpful to start your analytics projects on structured data first. Rushing to do
analytics on unstructured data without first having effective people, process, and technology will
be challenging. As we stated above, analytics capabilities are also developing within individual
security controls, so take advantage of this. Work with your current vendors and find out how
theyre building upon their analytic capabilities and then take advantage of them.
How much are we to spend on malware analysis? Malware analysis plays a role in the detection
of attacks, but against sophisticated adversaries, it has diminishing returns. So how should you
prioritize your investment? Depending on your threat model, deploying NAV capabilities at
Internet ingress/egress first could offer better returns on your security investment. Malware
analysis that is embedded as a feature in a broader offering allows you to acquire multiple pillars
at once, potentially saving money for investment in another pillar.
Figure 7 You Must Balance Endpoint And Network Security Controls

Endpoint approach
Network approach
Visibility beyond the perimeter;

follows endpoints in extended
enterprise
Expedites response; able to
determine if a host has been
compromised
Endpoint visibility can improve
mean time-to-detection;
endpoint prevention can stop
execution of malicious activity
behavior
Something else on the
endpoint; has the traditional
endpoint security challenge
Consumerization BYOD/BYOC
deployment challenges
No visibility when endpoints are

outside the perimeter (unless
SaaS is used)
Challenges determining the
impact on the endpoint
Out-of-band deployments offer
quick, transparent way to get
visibility
Avoid challenges associated
with endpoint security
deployments
Scalability challenges for
distributed enterprises; direct
to Net exacerbates this
116182

16
W h at i t m e a n s
Detection And Response Require An Integrated Technology Stack

Its important that you develop a road map for building out each of the technology pillars. You must
remember that creating an integrated portfolio that enables orchestration should be a core tenet of
your architectural, process, and product/service decisions.21 When evaluating technology, prioritize
vendors that offer multiple pillars as well as those that have third-party integrations that make
operationalizing the solution effective. You dont necessarily need a single pane of glass but you
should have a common user experience. This will help you avoid amassing point products that add
more overhead than security control. Without an integrated technology stack, you will never be able
to improve time-to-detection, containment, and remediation.
Supplemental Material
Methodology
Forresters Forrsights Security Survey, Q2 2013, was fielded to 2,134 IT executives and technology
decision-makers located in Canada, France, Germany, the UK, and the US from SMB and enterprise
companies with two or more employees. This survey is part of Forresters Forrsights for Business
Technology and was fielded from March 2013 to June 2013. ResearchNow fielded this survey online
on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates.
We have provided exact sample sizes in this report on a question-by-question basis.
Forresters Business Technographics provides demand-side insight into the priorities, investments,
and customer journeys of business and technology decision-makers and the workforce across the
globe. Forrester collects data insights from qualified respondents in 10 countries spanning the
Americas, Europe, and Asia. Business Technographics uses only superior data sources and advanced
data-cleaning techniques to ensure the highest data quality.
Endnotes
Source: Business Dictionary.com (http://www.businessdictionary.com/definition/Pareto-principle.html).
The Pareto principle states that for many events, roughly 80% of the effects come from 20% of the causes.
We have covered alternatives to antivirus in-depth in a previous report. See the June 9, 2014, Prepare For
The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus report.
We have covered the acquisition of Cyvera in-depth in a previous report. See the March 25, 2014, Quick
Take: Palo Alto Networks Acquires Cyvera report.
Source: Exploit switches off Microsoft EMETs protection features, Help Net Security (http://www.netsecurity.org/secworld.php?id=17080).
17
For further explanation of this concept, please read the recent Offensive Security article post, Disarming
Enhanced Mitigation Experience Toolkit (EMET). Source: Offensive Security (http://www.offensivesecurity.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)
This is one of the primary reasons that many intrusion prevention systems (IPS) are deployed as intrusion
detection system (IDS.) No one wants to block valid applications from being used.
Security leaders must realize that human factors contribute to the success of a security control as much
as the risk reduction of the security control itself. Security leaders who choose to ignore human factors
run the risk of user security mistakes and even a full security breach. There are three human factors that
contribute to the success of a security control and six human factors that act as resistors to effectiveness.
For more information, see the May 28, 2014, Raise The Security Bar With Human-Factor-Friendly Design
Concepts report.
Source: Kyle Russell, A16z Invests $90 Million In Tanium, An Enterprise Systems Management Startup,
TechCrunch, June 22, 2014 (http://techcrunch.com/2014/06/22/a16z-invests-90-million-in-tanium-anenterprise-systems-management-startup/).
Habit No. 1: Are self-aware; Habit No. 2: Understand technology benefits and limitations; Habit No. 3:
Establish realistic reporting and metrics; Habit No. 4: Are scalable; Habit No. 5: Collaborate internally and
externally; Habit No. 6: Actively engage executives; and Habit No. 7: Operate with autonomy. See the April
17, 2013, Seven Habits Of Highly Effective Incident Response Teams report.
We have previously covered the role of threat intelligence in-depth in a previous report. See the January 15,
2013, Five Steps To Build An Effective Threat Intelligence Capability report.
For more information on how to act on this actionable intelligence, please see the January 15, 2013, Five
Steps To Build An Effective Threat Intelligence Capability report.
10
Source: Sai Omkar Vashisht and Abhishek Singh, Turing Test In Reverse: New Sandbox-Evasion
Techniques Seek Human Interaction, FireEye Blog, June 24, 2014 (http://www.fireeye.com/blog/technical/
malware-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-humaninteraction.html).
11
We have covered the key components of a Zero Trust network in-depth in a previous report. See the
November 15, 2012, Build Security Into Your Networks DNA: The Zero Trust Network Architecture
report.
12
We have covered NAV tools in-depth in a previous report. See the January 24, 2011, Pull Your Head Out
Of The Sand And Put It On A Swivel: Introducing Network Analysis And Visibility report.
13
We have covered the convergence of some NAV and SIM/SIEM in a previous report. See the August 9, 2012,
Dissect Data To Gain Actionable INTEL report.
14
We have covered the characteristics of several EVC solutions in-depth in a previous report. See the June 9,
2014, Prepare For The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus report.
15
Source: Brian Krebs, Security Firm Bit9 Hacked, Used To Spread Malware, Krebs on Security, February 8,
2013 (http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/).
16
18
Dissect Data To Gain Actionable INTEL: The real value of SIM, and its survival, depends on big data
analytics for situational awareness. Known as security analytics (SA), it involves looking beyond network
security data to include the collection and analysis of new types of IT data that will transform SIM into
an SA tool that provides both security and IT analytics. For S&R professionals, context is key to security
analytics. This will help identify events that are happening now but also assess the state of security within
the enterprise in order to predict what may occur in the future and make proactive security decisions. See
the August 9, 2012, Dissect Data To Gain Actionable INTEL report.
17
Source: CrowdStrike Releases Endpoint Activity Monitoring Application, CrowdStrike press release,
February 20, 2014 (http://www.crowdstrike.com/news/crowdstrike-releases-endpoint-activity-monitoringapplication/index.html).
18
We have covered the acquisition of NetCitadel in-depth in a previous report. See the June 19, 2014, Brief:
Proofpoint Strengthens Its Targeted Attack Defense With NetCitadel Acquisition report.
19
We have covered the merge of Bit9 and Carbon Black in-depth in a previous report. See the February 14,
2014, Quick Take: Bit9 And Carbon Black Merge report.
20
The fourth tier in the targeted-attack hierarchy of needs: An integrated portfolio that enables orchestration.
21
About Forrester
A global research and advisory firm, Forrester inspires leaders,
informs better decisions, and helps the worlds top companies turn
the complexity of change into business advantage. Our researchbased insight and objective advice enable IT professionals to
lead more successfully within IT and extend their impact beyond
the traditional IT organization. Tailored to your individual role, our
resources allow you to focus on important business issues
margin, speed, growth first, technology second.
for more information
To find out how Forrester Research can help you be successful every day, please
contact the office nearest you, or visit us at www.forrester.com. For a complete list
of worldwide locations, visit www.forrester.com/about.
Client support
For information on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer
quantity discounts and special pricing for academic and nonprofit institutions.
Forrester Focuses On
Security & Risk Professionals
To help your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk while
optimizing security processes and technologies for future flexibility.
Forresters subject-matter expertise and deep understanding of your
role will help you create forward-thinking strategies; weigh opportunity
against risk; justify decisions; and optimize your individual, team, and
corporate performance.
Sean Rhodes, client persona representing Security & Risk Professionals
Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client
segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act
upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and
online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology
industry through independent fact-based insight, ensuring their business success today and tomorrow.
116182

Forrester Targeted-Attack Hierarchy

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Forrester Targeted-Attack Hierarchy

Diunggah oleh

Hak Cipta:

Format Tersedia

For: Security &

Targeted-Attack Hierarchy Of Needs,

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

July 24, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

Why Read This Report

Notes & Resources

2 Forresters Targeted-Attack Hierarchy Of

Forrester used a combination of primary

Need No. 5: Prevention

Related Research Documents

16 Detection And Response Require An

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

Forresters Targeted-Attack Hierarchy Of Needs Continues

An integrated portfolio that

A focus on the fundamentals

A dedication to recruiting and retaining staff

An actual security strategy

Source: Forrester Research, Inc.

Need No. 5: Prevention

2014, Forrester Research, Inc. Reproduction Prohibited

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

2014, Forrester Research, Inc. Reproduction Prohibited

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

Need No. 6: Detection And Response

2014, Forrester Research, Inc. Reproduction Prohibited

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

Figure 2 Technology Pillars Of Breach Detection

Network analysis and

Source: Forrester Research, Inc.

Pillar No. 1: Malware Analysis

2014, Forrester Research, Inc. Reproduction Prohibited

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

2014, Forrester Research, Inc. Reproduction Prohibited

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

2014, Forrester Research, Inc. Reproduction Prohibited

Source: Forrester Research, Inc.

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

Source: Forrester Research, Inc.

Pillar No. 2: Network Analysis And Visibility

2014, Forrester Research, Inc. Reproduction Prohibited

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2

Figure 4 NAV Considerations, Key Evaluation Criteria, And Solutions

2014, Forrester Research, Inc. Reproduction Prohibited

Source: Forrester Research, Inc.

July 24, 2014 | Updated: July 25, 2014

For Security & Risk Professionals

Targeted-Attack Hierarchy Of Needs, Part 2