by Neil MacDonald | April 4, 2011 | Comments Off on Are APTs Really New? Observations from the APT Summit
I recently had the opportunity to kick off a summit in Washington DC on the topic of Advanced Persistent Threats along with a number of other speakers representing different technologies and services that could be used to prevent or identify advanced intrusions.
Here are my observations from the summit:
1) APT is first and foremost about the “who” – and the term specifically refers to an actor, typically a nation state. If you are using the term simply as a synonym for an advanced attack, you are missing the point.
2) An APT is about the combination of all of these:
- Who: Who attacked whom?
- What: Value gained? What damage was caused? Information stolen?
- When: When did the compromise occur and how long was it undetected?
- Where: What systems and locations were targeted?
- How: What vulnerability (people, process or technical) was exploited?
- Why: What was their motivation and mission?
3) While the “who” might be important to some organizations and governments, the “how” is actually more relevant to most enterprise information security organizations as we need to shut down whatever vulnerability in people, process or technology led to the intrusion.
4) Are APTs really new? At one level, the question is moot as everyone in the room agreed that these advanced attacks are real and that intrusions are persisting undetected and that new approaches are needed.
Here are the two perspectives:
- We’ve being dealing with advanced threats for years and viewed this way, APT is nothing new. Consider spyware in the 2002-2005 timeframe. Back then it was advanced and not detected by AV, now it isn’t considered advanced and is detectable. Any new type of threat that is undetectable using traditional means could be considered an APT.
- While the individual components have always been there, the combination of who, what, when, where, why and how are unique enough to warrant a new term. Consider the “Web” or more recently, “Cloud Computing”. Both were built on technologies that already existed. However, the unique combination of how these worked together warranted a new term.
The first perspective misses the point that using APT as a synonym for an advanced attack misses the point of what an APT is defined to be – it misses the “who” component.
I believe the second perspective has value. The combination is unique enough to warrant a new term to create awareness and a call to action, just like the terms “Web” and “Cloud Computing” have done (and just as the term “spyware” created a call to action nearly a decade ago).
Which brings me to my final observation and call to action:
5) 100% prevention is a fallacy. Ninety five percent of enterprises have already have been breached (they just don’t know it yet). I’ve blogged about this issue many times. We are far to dependent on prevention technologies which are increasingly ineffective – antimalware, network and host based intrusion prevention systems, firewalls and so on. Important, yes — but increasingly ineffective. We must assume we will be compromised and must have better detection capabilities in place that provide visibility as to when this type of breach occurs.
This alone provides some insight into today’s announcement that RSA (which is not a traditional endpoint, firewall or IPS vendor) has acquired NetWitness with stated plans to integrate the technology into its IT GRC and Security Information and Event Management platforms.
Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer
As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.Read Free Gartner Research
Category: beyond-anti-virus next-generation-security-infrastructure security-of-applications-and-data
Tags: adaptive-security-infrastucture best-practices beyond-anti-virus defense-in-depth information-security whitelisting
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.