Cybercriminals have adapted their techniques to sidestep traditional defenses and lurk undetected in systems for months, or even years. It’s time for enterprise security to adapt in its turn, by taking an intelligence-driven, multi-layered approach to IT security. Until recently, it was enough to defend the corporate perimeter using commonly available security technologies that prevented malware infections or unauthorized access to the corporate network. However, today, with the rise of targeted attacks, this simple approach is no longer adequate. If your security department is going to guard against new dangers, you’ll need a multi-faceted, highly adaptable approach to security, based around a conventional SOC empowered with threat intelligence and multi-layered security solutions.
IMPROVING ENTERPRISE SECURITY PROCESSES
The Information Security Department is responsible for the organizational and technical protection of critical information and business processes in often complex IT environments. This includes, for example, the increasing adoption of automated solutions and software components, and the transition to electronic document management. The avalanche-like growth in the number of advanced threats and targeted attacks has generated increasing numbers of solutions. In order to collect, store and process the unstructured data generated, in order to identify and prioritize complex multi-level attacks, existing processes must be upgraded. These include:
• the manual prioritization of threats and the evaluation of factors potentially indicative of a possible targeted attack
• Information collecting about targeted attacks and advanced statistics threats
• identification of and response to incidents
• analysis of suspicious objects in network traffic and email attachments
• detection of abnormal/unusual activity within the protected infrastructure
Large enterprises are responding to today’s advanced threats by moving to centralized information security management, consolidating data from disparate Security solutions (through automating data collection and correlation of events – SIEM), and unifying its presentation through the construction of security monitoring centers (SOC, Security Operations Center). But for this approach to be effective against targeted attacks and advanced threats, a comprehensive understanding of security problems and the deep knowledge of cyberthreat analysis is required.
The majority of simple cyberthreats can be blocked by traditional, signature-based, and heuristics-enhanced security products, today’s cybercriminals and hackers are using increasingly sophisticated attacks – to target specific organizations. Targeted attacks – including Advanced Persistent Threats (APTs) – are now one of the most dangerous risks that enterprises have to deal with. However, while the threats – and the techniques that cybercriminals and hackers employ – are constantly evolving, many businesses are failing to adapt their security strategies.
By combining multi-layered detection, Anti Targeted Attack Platform and rapid reactions in Endpoint Detection and Response with Cybersecurity Intelligence Services and Premium Support – Threat Management and Defense provide a unified solution with centralized administration, helping to automate and facilitate the whole advanced threat management cycle. Harder to detect and – often – even harder to eliminate, targeted attacks and advanced threats call for a comprehensive, adaptive security strategy. Threat Management and Defense solution are founded on the most viable security architecture as described by Gartner. The approach is to provide a cycle of activities in four key areas: Prevent, Detect, Respond, and Predict.
• Prevent – reduce the risk of advanced threats and targeted attacks
• Detect – identify activities that could signal a targeted attack
• Respond – close security gaps and investigate attacks
• Predict – where and how new targeted attacks could appear
Essentially, this assumes that traditional prevention systems should function in coordination with detection technologies, threat analytics, response capabilities, and predictive security techniques. This helps to create a cybersecurity system that continuously adapts and responds to emerging enterprise challenges. That’s how we have uncovered more advanced, targeted threats than any other security vendor. When you hear in the news about the latest advanced persistent threat, the chances are that it was detected by Kaspersky Lab’s elite Global Research and Analysis Team. With an enviable track record in detecting targeted attacks and APTs, the team is renowned for its threat intelligence. The analysts has played a major role in discovering many of the most sophisticated attacks, like:
• Red October
• Epic Turla
… and many more.
PREVENTION – USING AWARD-WINNING SECURITY TECHNOLOGIES TO DECREASE THE RISK OF TARGETED ATTACKS
Prevention-based security products can be very effective in protecting against common threats – including malware, network attacks, data leakage, and more. But even these technologies are not sufficient to protect a business against targeted attacks. During a targeted attack, conventional, prevention-based security technologies may spot some incidents but will usually fail to determine that the individual incidents are part of a much more dangerous and complex attack that could be causing severe damage to your business… and will continue to inflict damage over the long term. However, multi-layered, prevention-based technologies are still a key element in the new, proactive approach to guarding against targeted attacks.
Technologies are valuable in filtering out unnecessary incidents, common malicious objects, and irrelevant communications. But comprehensive system hardening with targeted security solutions, security education, and raising awareness is also of value – increasing the amount of time and investment necessary for attackers to invest in penetrating your controlled perimeter, and rendering you no longer cost-effective to attack. 80% of targeted attacks start with a malicious email containing an attachment or link. Preferred penetration targets for cybercriminals include HR, call centers, personal assistants to senior management, and outsourced areas of the business. These are seen as the least prepared areas of the organization.
It’s essential for enterprise organizations to continue using ‘traditional’ security technologies to:
- Automate the filtering and blocking of events and incidents not related to Targeted attacks. which will help to avoid unnecessary distractions to relevant incident discovery.
- Harden IT infrastructure against cheap and easy-to-perform techniques (social engineering, removable devices, mobile devices, malware and malicious email delivery etc.).
In fact, all past spending on perimeter and endpoint security, along with controls implemented, helps to increase the amount of effort and investment required by cybercriminals in order to penetrate your network. But if the attacker is sufficiently highly motivated, and perhaps even hired by a third party to conduct a successful attack, a prevention-only approach will not be enough.
DETECTION – MULTI-VECTOR ADVANCED THREAT DISCOVERY BEFORE THE DAMAGE OCCURS
The earlier you detect an attack, the lower your financial losses and the less disruption your organization will suffer. So the quality and effectiveness of detection are paramount. Because targeted attacks are both compound and complex, detecting their calls for a piece of deep practical knowledge about how advanced and targeted attacks work. Simple anti-malware solutions are not able to defend against these types of attacks. Instead, you’ll need detection technologies that can access up-to-the-minute threat intelligence data – and can perform detailed analyses of suspicious behavior that may be occurring at different levels of your corporate network. The ability to detect targeted attacks consists of connected solutions and services able to deliver:
• Targeted Attack Discovery expertise – one-time audit of infrastructure in order to find traces of compromise
• Specialized solution – Anti Targeted Attack platform + Endpoint Detection and Response
• Threat Data Feeds for real-time threat exchange and updates about new threats
• Custom and APT reports for better understanding of threat sources and methods
• 24/7 Threat Hunting Managed Protection Service
Based on leading security intelligence and advanced machine learning technologies, the Anti Targeted Attack Platform combines network and endpoint data, sandbox, and intelligent analysis to correlate incidents, search for Indicators of Compromise and help uncover the most complex targeted attacks. Connecting up the various pieces of an incident provides a comprehensive view of the entire attack chain, increasing confidence in assigned threat scores and reducing false positives to zero.
The Anti Targeted Attack platform includes:
• Multi-layered sensor architecture – to give ‘all round’ visibility. Through a combination of network, web & email, and endpoint sensors, KATA provides advanced detection at every level of your corporate IT infrastructure
• Advanced Sandbox – to assess new threats. The result of over a decade of continuous development, our Advanced Sandbox offers an isolated, virtualized environment where suspicious objects can be safely executed so their behavior can be observed.
• Powerful analytical engines – for rapid verdicts and fewer false positives.
RESPONSE – HELPING BUSINESSES TO RECOVER FROM ATTACKS
Of course, achieving a higher rate of detection is only part of the battle. The best detection technologies are not much use if you don’t have the tools and expertise needed to respond rapidly to the ‘live’ threat that’s potentially damaging your organization. After detecting an attack, it’s important to have access to recognized security experts with the skills and experience to help:
• Assess and rectify the damage
• Rapidly recover your operations
• Receive actionable intelligence after Incident Investigation process
• Plan actions to prevent a further repeat of the same attack scenarios
Once Anti Targeted Attack Platform of other 3rd party security solutions identifies that your business is being attacked the Endpoint Detection and Response takes over. It is the next vital component of the Threat Management and Defense solution, allowing companies to speed up their incident response process and improve the quality of cybersecurity incidents investigation.
EDR provides centralized management of incidents across all endpoints on the corporate network – giving a seamless workflow and integration with network detection via the Anti Targeted Attack platform. A wide range of automated responses helps avoid the expensive downtime and lost productivity inherent in traditional remediation processes, like wiping and reimaging. By monitoring and controlling a vast range of functions via a single interface, security tasks can be performed more effectively and efficiently – with no flipping between multiple tools and consoles.
Endpoint Detection and Response delivers:
• Advanced Detection – with Machine Learning – Targeted Attack Analyzer (TAA) – creates a baseline of endpoint behavior. This enables a historical record that can be used to discover how a breach occurred.
• Proactive Threat Hunting with fast-search, using a centralized database – plus Indicators of Compromise (IoC) search to help security team actively hunt for threats – proactively scanning endpoints to spot anomalies and security breaches.
• Adaptive Threat Response which includes a vast array of automated responses that help enterprises to avoid the use of traditional remediation processes – such as wiping and reimaging – that can result in expensive downtime and loss of productivity.
Full visibility and accurate detection are only a part of the battle. The very nature of targeted attacks means that attackers will come back with new tools and techniques. If an emergency occurs, the cybersecurity team might need a trusted partner with the relevant skills and experience, as well as honing in-house skills. Incident Response Service includes:
• Incident assessment. Initial analysis of an incident – rapidly delivered to help you minimize the damage to your business (the analysis can be performed onsite or remotely).
• Evidence collection. For example, gathering hard disk drive images, memory dumps, network traces, and other information that’s relevant to the incident.
• Forensic analysis. Detailed analysis to help establish information about:
– What was attacked
– Who carried out the attack
– The period during which your business was attacked
– Where the attack originated
– Why your business was attacked
– How the attack was implemented
• Malware analysis. Detailed analysis of malware that was used as part of the attack.
• Remediation plan. A detailed plan that will help your business to prevent the malware from propagating across more of your network – plus help you create an uninstallation plan.
• Investigation report. A detailed report that includes information about the incident investigation and remediation.
If your own security team is able to carry out many of the incident response tasks, you may wish to use one of our other services:
• Malware Analysis Service – subjects the malware your team has isolated to detailed analysis.
• Digital Forensics Service – analyzes digital evidence & incident effects gathered by your team.
Prediction – doing more to guard against future threats
With the threat landscape constantly changing, your security strategy must continually evolve to meet new challenges. Security isn’t a ‘one-off activity’ – it’s an ongoing process that calls for continuous assessment of:
• The latest threats
• The effectiveness of your IT security
… so your business can adapt to new risks and changing demands.
GLOBAL THREAT INTELLIGENCE ACCESS
Having access to experts that can keep you updated on the global threat landscape – and help you to test your systems and your existing defenses – is a vital element in helping your organization to adapt and keep pace with new security threats. Over the years, global security experts have amassed a vast amount of knowledge about how advanced and targeted attacks work – and constantly analyzing new attack techniques. This hard-won expertise means uniquely placed to predict new attack methods and help you to be ready to combat them.
In addition, specialized services may help you ‘harden’ your IT infrastructure:
• Penetration Testing Services – to help you assess the effectiveness of your current security provisions.
• Application Security Assessment Services – to help you find software vulnerabilities… before the cyber criminals do.
• Advanced Cybersecurity Training – to help train your own experts and build your own Security Operations Center
• Intelligence Reporting and Customized Threat Reporting – to help keep you updated on today’s constantly changing threat landscape
• Threat Lookup portal – access to Lab intelligence global database to help Empower your malware research
Kaspersky’s Adaptive Security Strategy was founded on the most viable security architecture described by Gartner. Kaspersky Lab approaches provides a cycle of activities in four key areas: Prevent, Detect, Respond, and Predict. Essentially, it assumes that traditional prevention systems should function in connection with detection technologies, threat analytics, response capabilities, and predictive security techniques. This helps to create a cybersecurity system that continuously adapts and responds to emerging enterprise challenges.
Adopting Threat Management and Defense solution means:
- Moving from from a reactive security model to a proactive model based on risk management, continuous monitoring, more informed incident response and threat hunting capabilities
- Your operational framework streamlines day-to-day security processes and boosts security effectiveness through a multi-layered defense model that prevents and detects advanced threats at each stage of the attack.
- One integrated platform reduces the security alerts that overwhelm most security teams by providing threat intelligence-based context and prioritization to alerts as well as improving tactical responses by sharing threats knowledge, deep expertise and providing security intelligence services.
This environment provides security analysts with visibility of all attack stages in a unified way, enabling seamless threat analysis and confident investigation of both known and unknown threats before they impact the business. Global Threat Intelligence sharing through APT and threat intelligence portals provides unique proactive insights into the motives and intentions of your adversaries, so you can prioritize policies and security investment planning accordingly.