Protecting Against Advanced Persistent Threats: Choosing A Security Solution

Advanced Persistent Threats

Advanced Persistent Threats (APTs) are a growing danger to all organizations. Unlike legacy malware, which operate opportunistically, APTs can persist undetected on a network for over a year, while the perpetuators behind them manipulate and steal valuable data and carry out their devious economic, political and social agendas.

It is the persistent and recurring nature of APTs that make them destructive, costly and a top security concern for all organizations – not just the military, defense contractors and governments. The perpetuators of APTs today have gone beyond these traditional targets and are aiming at organizations and enterprises in the energy, education, manufacturing, communications, financial services, and additional sectors.

While the situation appears daunting, getting the protection to secure a network is not as difficult as it may seem. The following are important factors to consider when selecting an APT protection solution.

Big Data With A Focus On Detection

It is well established that preventing 100% of infections is not possible. Recent examples include the Comfoo Trojan used to attack the information security company RSA in 2010, the 2011 breach of top U.S. weapons manufacturer Lockheed Martin, the 2012 Shamoon malware attack on Aramco (the Saudi Arabian national oil and natural gas company) and the recent malware attack at two Turkish international airports, which crippled passport control systems causing significant flight delays and border gate congestion.

Complete threat identification simply cannot happen in real-time at the organization’s network perimeter or by policy enforcement. At the same time, the inherent hardware boundaries and time limitations of on-premises applications allows threats to penetrate such security frameworks. However, despite these accepted facts, many in the IT security field continue to focus on prevention and, as a result, expose their organizations to subtle, hidden and previously unknown APTs.

Logically, APT detection decisions must be based on the ability to analyze data. To be effective and overcome the above protection deficiencies, extended periods of HTTP/S traffic log data should be analyzed, suspicious executables should run for sustained durations of time and proactive threat intelligence needs to be a focus. This is where Big Data comes into play

Big Data analytics allows protection to expand and adapt to meet the ever-increasing sophistication of new APTs and creates the flexibility and scalability required to process immense amounts of multi-layered data over time.

Automated Analysis

Detecting APTs is not easy. With the sheer volume of new threats emerging on a daily and even an hourly basis, many security solutions oblige organizations to use an expensive staff of malware analysts and forensic specialists to manually locate threats and diagnose breaches.

This costly scenario can be avoided with an APT protection solution that automates Big Data analytics. Today, the only task that should be performed is the automatic uploading of HTTP/S gateway traffic log files to a secure cloud-based security solution. From there, an APT protection solution should automatically analyze and correlate data against unique malware behavior profiles created by an automated and elastic malware analysis sandbox.

The ability to use layers of machine learning algorithms to rapidly analyze historic network traffic data will further help uncover hidden APTs that may have been operating undetected on the network for months and even years.

Evolving Malware Dataset

The ability to rapidly share information about uncovered threats and attacks is essential. However, despite much criticism, most security solutions are closed environments. A properly architected APT prevention solution can overcome this limitation. Such a solution should be cloud-based enabling it to scale according to individual needs. The cloud also supplies the elastic environment necessary to collect and analyze petabytes of data.

This Big Data can be sourced from several methods including, the interception of communications between live botnets and their command and control servers, machine learning algorithms analyzing a company’s HTTP/S gateway traffic logs and the mapping of malware behavior from suspicious files that have been analyzed by an elastic sandbox. These methods, including the crowdsourcing of sophisticated malware profiles and suspicious executables, benefit not only a company’s ability to protect itself from APTs but also the security community at-large.

Up And Running In Minutes

Who today has time to complete an additional multi-day training program or certification course? Obliging security staff to spend their limited time attending yet another training to learn how to configure a new on-premises device is no longer necessary for complete APT protection.

Today, APT protection can be accomplished using a cloud-based solution which can be up and running within minutes.

By leveraging the data from proactive botnet interception, malware expertise, detailed forensics and an API providing real-time intelligence to your existing security infrastructure, a staff can focus their time and effort into securing the organization rather than attending trainings on another on-premises security device.

Crowdsourced Threat Repository

Effective APT detection and prevention requires vast amounts of data to be collected from multiple sources and then analyzed on an ongoing basis. This can be a time-consuming and resource-draining investment. For many APT protection solutions, this is a necessary requirement in order to be effective.

However, this expensive and labor intensive scenario is easily bypassed by those APT protection solutions that already feature a behind-the-scenes crowdsourced threat repository – one that automatically processes tens of thousands of malware samples a day and petabytes of gateway traffic logs every month.

Cost Effective

Most organizations are using on-premises appliances for firewall, IPS, endpoint protection and related network and information security measures. Frankly, adding another box for APT protection will only complicate an already complicated security framework and will add another layer of expenses and IT management to a company’s overhead.

By managing APT protection efforts from a cloud-based solution, as with all SaaS solutions, there is a low total cost of ownership with no upfront investments in hardware or software. Along with elasticity and scalability, a cloud-based APT protection solution is non-intrusive and has no impact on existing organizational resources.

In summary, all organizations and enterprises are now targets of a growing range of cyber-criminals, hacktivists, adversaries and even nation-states. Today, it is not a question of if the organization will be attacked, but rather when will the attack occur and how much damage it will cause prior to detection.

With the unprecedented velocity and complexity of APTs, deploying an APT protection solution is mandatory. Organizations can no longer rely on a conventional prevention-based approach to remain safe. By using these key considerations as part of important decision-making criteria when selecting an APT protection solution, an organization can stay protected against existing and future advanced malware and persistent threats, improve its overall security framework, and focus on success.

Aviv Raff

As Chief Technology Officer, Aviv Raff is responsible for the fundamental research and design of Seculert's core technology. Aviv brings with him over 10 years of experience in leading software development and security research teams. Prior to Seculert, Aviv established and managed RSA's FraudAction Research Lab, as well as working as a senior security researcher at Finjan's Malicious Code Research Center. Before joining Finjan, Aviv led software development teams at Amdocs, an industry leader in billing systems. Aviv has published several pioneering security research articles, and is a frequent participant and requested speaker at information security conferences worldwide. Aviv holds a B.A. in Computer Science and Business Management from the Open University (Israel).