Advanced security threats are increasing, but simply adding more layers of defense does not necessarily increase security against targeted threats; security controls need to evolve, according to Gartner, Inc.
"Targeted attacks are penetrating standard levels of security controls and causing significant business damage to organisations that do not evolve their security controls," said John Pescatore, vice president and distinguished analyst at Gartner. "For the average organisation, 4 per cent to 8 per cent of executables that pass through antivirus and other common defences are malicious. Organisations need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats. There are existing security technologies that can greatly reduce vulnerability to targeted attacks."
Gartner analysts said the term "advanced persistent threat" (APT) has been overhyped and is distracting organisations from a very real problem. APT was coined by the military to refer to a specific threat from another country. It was expanded to include other aggressive nation states, but has been co-opted by the media and by security vendors to hype the source of an attack, which distracts from the real issue - focusing on the vulnerabilities that the attackers are exploiting.
"The reality is that the most important issues are the vulnerabilities and the techniques used to exploit them, not the country that appears to be the source of the attack," Mr Pescatore said. "The major advance in new threats has been the level of tailoring and targeting - these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches."
Targeted attacks aim to achieve a specific impact against specific organisations, and have three major goals:
Denial of service: Disrupting business operations Theft of service: Obtaining use of the business product or service without paying for it Information compromise: Stealing, destroying or modifying business-critical information
The motivation for advanced targeted threats is usually financial gain, such as through extortion during a denial-of-service attack, trying to obtain a "ransom" for stolen information, or selling stolen identity information to criminal groups. Through year-end 2015, financially motivated attacks will continue to be the source of more than 70 per cent of the most damaging cyberthreats. Most politically motivated attacks actually reuse techniques first seen in cybercrime attacks.
Gartner has identified some strategies that companies can implement to deal with advanced targeted threats:
Own the vulnerability; don't blame the threat: There are no unstoppable forces in cyberattacks. If IT leaders close the vulnerability, then they stop the curious teenager, the experimental hacker, the cybercriminal and the information warrior. Many attacks that include zero-day exploits often use well-known vulnerabilities as part of the overall attacks.
"Businesses and government agencies involved in critical infrastructure, high-tech or financial operations that are constant targets of cybercrime and other advanced threats need to add 'lean-forward' capabilities to have continual visibility into potential attacks and compromises," Mr Pescatore said. "The use of specialised threat detection, network forensics and situational awareness technologies can be very effective in quickly detecting and reacting to the first stages of an advanced targeted threat, but require high levels of skilled resources to be effective."
Evolve defences; don't just add layers: The best approach to reducing the risk of compromise is always "security in depth" - if the organisation can afford it. Affording it means not just having the money to buy increasing numbers of security products, but also the staff and operations support to use and integrate everything together. Having more security layers does not automatically mean more security.
Focus on security, not compliance: There is a big difference between compliance and security. "Due diligence" from a compliance perspective is simply limiting the company's liability from legal action - it is never the answer to dealing with advanced threats or living up to customers' trust.
"A lean-forward approach to security is going beyond the due diligence level of the standard network security and vulnerability assessment controls, and using tools and processes to continuously look for active threats on the internal networks," Mr Pescatore said. "However, IT leaders must be prepared to invest in and staff lean-forward processes - and they must be prepared to take action if they find something."
Additional information is available in the Gartner report "Strategies for Dealing With Advanced Targeted Threats" at http://www.gartner.com/.... A Gartner Special Report on IT Security and Risk Management is available at http://www.gartner.com/....
Gartner analysts will discuss the priorities for privacy and other security professionals at the Gartner Security & Risk Management Summit 2011 taking place 19-20 September, in London.
About Gartner Security & Risk Management 2011
The Gartner Security & Risk Management Summit 2011 provides chief information security officers (CISOs) and security, risk management and business continuity professionals with advice on infrastructure protection, governance, risk management, compliance, business continuity, disaster preparedness, response and recovery. The event features analyst-moderated user roundtables, workshops and end-user case studies, plus new research, trend updates, best practices and long-range scenarios.
For further information, please visit www.europe.gartner.com/.... Members of the media can register by contacting Holly Stevens at holly.stevens@gartner.com.
Additional information from the event will be shared on Twitter at http://twitter.com/... using #GartnerSecurity.
"Targeted attacks are penetrating standard levels of security controls and causing significant business damage to organisations that do not evolve their security controls," said John Pescatore, vice president and distinguished analyst at Gartner. "For the average organisation, 4 per cent to 8 per cent of executables that pass through antivirus and other common defences are malicious. Organisations need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats. There are existing security technologies that can greatly reduce vulnerability to targeted attacks."
Gartner analysts said the term "advanced persistent threat" (APT) has been overhyped and is distracting organisations from a very real problem. APT was coined by the military to refer to a specific threat from another country. It was expanded to include other aggressive nation states, but has been co-opted by the media and by security vendors to hype the source of an attack, which distracts from the real issue - focusing on the vulnerabilities that the attackers are exploiting.
"The reality is that the most important issues are the vulnerabilities and the techniques used to exploit them, not the country that appears to be the source of the attack," Mr Pescatore said. "The major advance in new threats has been the level of tailoring and targeting - these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches."
Targeted attacks aim to achieve a specific impact against specific organisations, and have three major goals:
Denial of service: Disrupting business operations Theft of service: Obtaining use of the business product or service without paying for it Information compromise: Stealing, destroying or modifying business-critical information
The motivation for advanced targeted threats is usually financial gain, such as through extortion during a denial-of-service attack, trying to obtain a "ransom" for stolen information, or selling stolen identity information to criminal groups. Through year-end 2015, financially motivated attacks will continue to be the source of more than 70 per cent of the most damaging cyberthreats. Most politically motivated attacks actually reuse techniques first seen in cybercrime attacks.
Gartner has identified some strategies that companies can implement to deal with advanced targeted threats:
Own the vulnerability; don't blame the threat: There are no unstoppable forces in cyberattacks. If IT leaders close the vulnerability, then they stop the curious teenager, the experimental hacker, the cybercriminal and the information warrior. Many attacks that include zero-day exploits often use well-known vulnerabilities as part of the overall attacks.
"Businesses and government agencies involved in critical infrastructure, high-tech or financial operations that are constant targets of cybercrime and other advanced threats need to add 'lean-forward' capabilities to have continual visibility into potential attacks and compromises," Mr Pescatore said. "The use of specialised threat detection, network forensics and situational awareness technologies can be very effective in quickly detecting and reacting to the first stages of an advanced targeted threat, but require high levels of skilled resources to be effective."
Evolve defences; don't just add layers: The best approach to reducing the risk of compromise is always "security in depth" - if the organisation can afford it. Affording it means not just having the money to buy increasing numbers of security products, but also the staff and operations support to use and integrate everything together. Having more security layers does not automatically mean more security.
Focus on security, not compliance: There is a big difference between compliance and security. "Due diligence" from a compliance perspective is simply limiting the company's liability from legal action - it is never the answer to dealing with advanced threats or living up to customers' trust.
"A lean-forward approach to security is going beyond the due diligence level of the standard network security and vulnerability assessment controls, and using tools and processes to continuously look for active threats on the internal networks," Mr Pescatore said. "However, IT leaders must be prepared to invest in and staff lean-forward processes - and they must be prepared to take action if they find something."
Additional information is available in the Gartner report "Strategies for Dealing With Advanced Targeted Threats" at http://www.gartner.com/.... A Gartner Special Report on IT Security and Risk Management is available at http://www.gartner.com/....
Gartner analysts will discuss the priorities for privacy and other security professionals at the Gartner Security & Risk Management Summit 2011 taking place 19-20 September, in London.
About Gartner Security & Risk Management 2011
The Gartner Security & Risk Management Summit 2011 provides chief information security officers (CISOs) and security, risk management and business continuity professionals with advice on infrastructure protection, governance, risk management, compliance, business continuity, disaster preparedness, response and recovery. The event features analyst-moderated user roundtables, workshops and end-user case studies, plus new research, trend updates, best practices and long-range scenarios.
For further information, please visit www.europe.gartner.com/.... Members of the media can register by contacting Holly Stevens at holly.stevens@gartner.com.
Additional information from the event will be shared on Twitter at http://twitter.com/... using #GartnerSecurity.
