DesigninganAdaptiveSecurityArchitectureforProtectionFromAdvancedAttacks Designing an Adaptive Security Architecture for Protection From Advanced Attacks 12 February 2014 ID:G00259490 Analyst(s): Neil MacDonald, Peter Firstbrook VIEW SUMMARY Enterprises are overly dependent on blocking and prevention mechanisms that are decreasingly effective against advanced attacks. Comprehensive protection requires an adaptive protection process integrating predictive, preventive, detective and response capabilities. STRATEGIC PLANNING ASSUMPTIONS By 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches — up from less than 10% in 2014. By 2020, 40% of enterprises will have established a security data warehouse — up from less than 5% in 2014. Overview Key Challenges Existing blocking and prevention capabilities are insufficient to protect against motivated, advanced attackers. Most organizations continue to overly invest in prevention-only strategies. Detective, preventive, response and predictive capabilities from vendors have been delivered in nonintegrated silos, increasing costs and decreasing their effectiveness. Information security doesn't have the continuous visibility it needs to detect advanced attacks. Because enterprise systems are under continuous attack and are continuously compromised, an ad hoc approach to "incident response" is the wrong mindset. Recommendations Information security architects: Shift your security mindset from "incident response" to "continuous response," wherein systems are assumed to be compromised and require continuous monitoring and remediation. Adopt an adaptive security architecture for protection from advanced threats using Gartner's 12 critical capabilities as the framework. Spend less on prevention; invest in detection, response and predictive capabilities. Favor context-aware network, endpoint and application security protection platforms from vendors that provide and integrate prediction, prevention, detection and response capabilities. Develop a security operations center that supports continuous monitoring and is responsible for the continuous threat protection process. Architect for comprehensive, continuous monitoring at all layers of the IT stack: network packets, flows, OS activities, content, user behaviors and application transactions. By 2018, 80% of endpoint protection platforms will include user activity monitoring and forensic capabilities — up from less than 5% in 2013. EV IDENCE 1 Industry data shows that it takes an average of 243 days to detect a breach (see Mandiant's "M-Trends 2013: Attack the Security Gap" at www.mandiant.com/resources/mandiant-reports). 2 Visibility into cloud-based services can be achieved in a variety of ways. A cloud access security broker (see "The Growing Importance of Cloud Access Security Brokers" [Note: This document has been archived; some of its content may not reflect current conditions]) is one way to gain visibility. Alternatively, the cloud provider may make logs available for analysis, such as Amazon Web Service's (AWS's) recent announcement of CloudTrail. Visibility may be provided by security controls that run in the cloud itself — such as CloudLock for Google Apps and salesforce.com or Alert Logic for AWS. In other cases, agents running within the virtual machines in cloud-based infrastructure-as-a-service offerings can deliver the same visibility as workloads in enterprise data centers, such as those from CloudPassage, Dome9 and Trend Micro. 3 See Financial Services Information Sharing and Analysis Center (FS-ISAC). 4 See Imperva's ThreatRadar Reputation Services and HP Threat Central. 5 An entire set of vendors is appearing to deliver isolation and sandboxing capabilities on Windows and mobile devices. Application-layer containment: TABLE OF CONTENTS CONTENTS Introduction Analysis Critical Competencies of an Adaptive Protection Architecture Security Protection as a Continuous Process Continuous Monitoring and Analytics Is at the Core of the Adaptive Protection Architecture Six Key Inputs Into the Adaptive Protection Architecture 12 Critical Capabilities of an Adaptive Protection Process Capabilities Must Work Together as a System Evaluating Vendors and Solutions Against This Architecture FIGURES Blue Ridge Networks AppGuard Enterprise Bromium micro-virtualization vSentry MirageWorks vDesk and iDesk Trustware BufferZone Invincea Enterprise Edition Sandbox