Anyone who hasn’t heard of advanced targeted attacks has their head in the sand. Opportunistic attacks launched en masse still occur, but they can often be prevented using tools that are in widespread use, such as anti-virus, since the malware strain used has either been seen before or can be quickly identified and stopped. Advanced targeted attacks are more pernicious, complex and harder to defend against. New tools are required.
Today’s mantra is "it is not if, but when and how often" an organisation will be breached. Prevention alone is not enough. It is necessary and a variety of new techniques have been developed by vendors for stopping even zero-day attacks, but the reality is that some attacks will always get through. This is leading vendors to expand their capabilities into threat detection once an exploit has already breached network defences, and incident response and remediation.
Because of these factors, the market for advanced threat protection and mitigation technologies is expanding rapidly. Vendors and investors are responding. Some of the specialists, including CounterTack, Damballa, and Lastline have seen cash injections this year to enable them to expand and continue product development. There has also been a rash of acquisitions recently. At the beginning of the year, FireEye acquired Mandiant and Bit9 merged with Carbon Black, both of which expand their capabilities into threat remediation. Palo Alto Networks acquired Cyvera in April, NetCitadel was acquired by Proofpoint in May, and IBM has expanded its security portfolio with acquisitions of CrossIdeas in July and Lighthouse Security in August. Partnerships are expanding rapidly across the board, allowing vendors to expand their offerings into complementary areas to offer wider capabilities in defending against advanced threats and attacks.
One particular theme that underlies all of this is the need for increased automation. The volume and severity of security threats and incidents faced by every organisation continues to rise. Organisations are struggling to cope with the maelstrom. Even where they have threat detection technologies in place, the volume of alerts is too great to be dealt with manually. Containing threats until they can be dealt with is also only a stop gap measure as attackers look to lay dormant on networks, waiting for a chance to resume their attack.
Vendors are responding by bringing out new advanced automated detection and remediation options, looking to provide organisations with greater visibility into what is happening on their networks in order to provide them with the intelligence that they need for more informed decision making. Indicators of compromise is a fairly new buzzword. It refers to the identification of the tools, techniques and procedures used by today’s advanced attackers from the artefacts that are left behind in any attack. From these, countermeasures can be developed that can help organisations remediate even the most advanced attacks.
Incident response is the new imperative. Whilst many vendor offerings still require a certain element of human intervention or services, and the number of partnerships and offerings is expanding rapidly in these areas, one of the latest trends is to automate incident response capabilities to give organisations a better chance of not only remediating, and even removing threats entirely, but also of better defeating future attacks through advanced machine learning capabilities. Some of the notable vendors moving into this space are Hexis Cyber Solutions, which is perhaps currently the most advanced in terms of automated threat removal, Bit9 + Carbon Black with its partnership with Kroll, FireEye with its acquisition of nPulse Technologies in May, CounterTack and Fidelis, which recently introduced an automated incident response offering.
All of these developments attest to the vibrancy of the advanced threat protection and defence market. If the war against today’s sophisticated adversaries is to be won, the response must be efficient and automated. Security breaches are not just everyday news, they are causing ever greater damage to the organisations concerned. Yesterday’s tools are no longer sufficient.