Advanced Persistent Threat: Solution – No, Effective Detection – Yes
January 27, 2010 6 Comments
I have enjoyed the lively discussion in blogs and on Twitter about what has been named the “Advanced Persistent Threat” or APT by industry smart guys (that is a compliment, not sarcasm) like Rich Mogull (@rmogull, Securosis), Andrew Jaquith (@arj, Forrester) and Nick Selby (@nselby, Web site). Jaquith posted a great blog entry yesterday that provides a great definition for APT and additional clarification of what APT is not. To paraphrase, APT is characterized by a sophisticated adversary that is engaging in long term pursuit of sensitive data or intellectual property. This contrasts to broad general attacks that leverage known exploits to pick off whatever computers that are not properly protected.
Yesterday in a presentation to a potential partner for Triumfant, a highly experienced security person raised the subject of APT and asked me directly if Triumfant was a solution for APT. My response was a simple “no”. This sentiment was echoed by Rich Mogull of Securosis when he tweeted that he was not a fan of any vendor that mentioned APT and “solution” together. The reason is simple – APT by definition is in a constant state of evolution, and unless your solution can block all attack vectors currently known and those not yet even created, you do not have a solution to APT. Or as Jaquith points out, APT is not a specific attack or an attack vector that can be detected by a product.
Remember that paragraph is from a vendor that has an offering that would tempt marketing types to make such a claim. Luckily, this is not my first rodeo and all of us on the Triumfant team carefully avoid such hyperbole and will often disarm prospects by detailing our capabilities, including what we do not do. I say this knowing eyes will roll, but our product has more than enough differentiation without having to result to hyperbole and claims we cannot support.
It is not the fault of traditional security tools that they are not equipped to deal with APT. They were conceived and built in a simpler time when the number of attacks was small and those attacks were broad and non-specific. Six million signatures and the transition from basement bandits to organized cyber criminals later, no advancements to these tools can overcome their foundational flaw of reliance on prior knowledge of an attack. APT represents an evolution of malicious activity and intent that is a full generation removed from these tools.
Back to my answer to the question about being a solution for APT. From my initial, honest “no”, I continued that while I would not say that Triumfant is the solution for APT, Triumfant is a very proficient technology for advanced persistent threat detection. I would also include the ability of Triumfant to detect new malware threats, detect zero day attacks, and detect targeted attacks. I added that Triumfant not only detects APT attacks, it will also provide rapid response by remediating the attacks that are characteristic of APT. Triumfant’s ability to monitor over 200,000 granular attributes on every machine and detect changes to those attributes is what triggers our analysis. There is no prior knowledge of an attack required. So if the attack is newly minted or been around for years, we detect attacks by looking for changes.
Most security people will tell you that the ability to comprehensively and accurately detect anomalies on a computer is one of, if not the best, methods for detecting an attack such as those associated with what would fall under the umbrella of APT. The traditional impediment is the inability to solve the false positive problem. We believe that the patented analytics that are at the core of Triumfant have solved that issue by using our unique ability to analyze all changes in the context of our adaptive reference model (explained here). It is change that triggers the analysis, independent if that change is caused by an external attack or the work of a maliciously intended insider.
So while we cannot, as Jaquith accurately says, detect a specific vector of an attack, we believe we have a very good chance of detecting the affects of an attack on a machine and therefore provide security professionals the situational awareness they need to respond to such an attack. We of course also believe we can effectively remediate the attack, but just the ability to detect the attack and provide actionable data as to what it did to the affected machine is a step forward. Given that there will never be a comprehensive shield for APT, the ability to detect a significant percentage of such threats, in my opinion, is noteworthy.
So is Triumfant the solution for APT? No, and we would never say so. Is Triumfant a tool that can help security professionals detect, analyze and respond to the attacks that characterize APT? Is Triumfant’s approach an improvement from traditional endpoint security tools? Is the ability to go from infection (notice I did not say detection) to remediation in less than five minutes for an attack that has never been seen before of interest to organizations that face the APT? I am comfortable saying yes with the appropriate qualifications. We are at the very least an effective application of anomaly detection that provides a meaningful sensor grid and analysis capability in the ongoing efforts regarding APT (guys, please note I did not say war, battle, or fight).
As I said, I find this discussion energizing and I look forward to more insights on APT in the future. Part of this ongoing discussion is the use of the term “warfare” which I hope to address in a future post.