1. technology and computing
2. computer security
3. antivirus and malware

Advanced Threat Detection:
Necessary but Not Sufficient
The First Installment in the Blinded By the Hype Series
Whitepaper | Advanced Threat Detection: Necessary but Not Sufficient
2
Executive Summary
Promotion and promises from security vendors represent an aggressive grab for mindshare, making it difficult to separate reality from hype.
To help sort out the reality of new advanced detection tools, Proofpoint has put together a short list of impactful tips, topics, and questions
to apply to your evaluation and decision processes. Some of these tips take a hard look at reality and could impact your workload or the
way that you build your security budget. At a minimum, these tips should help you ask more intelligent questions to security vendors. This
paper, “Advanced Threat Detection: Necessary but not Sufficient” is the first Installment in our “Blinded By the Hype Series” that includes
recommendations for banishing each Hype Scenario.
New Detection Tools Mean MORE work for your team
The stampede of new detection tools is a good thing, as you can’t stop a threat if you don’t know that it exists. The risk, however, is that
detection tools are optimized to detect behaviors, actions, and communications that may put your business at risk. Optimizing detection
means that these tools are very good at piecing together signals of a breach or infection, then reporting it. Notice that reporting doesn’t
imply stopping or containing the infection, meaning that data, personal records, or intellectual property may be leaving the building while
you read the report. As the headlines have shown, even companies with some of the latest detection technologies fell short in the response
process. Advanced detection was necessary, but not sufficient.
Big Data, Security Analytics, and Behavioral Analysis marketing is based on the premise that purchasing
new tools or services will enlighten you to threats affecting your network. They promise that new
detection tools, techniques, and methods will make life better somehow - enabling you to operate from
the common sense business platitude “You can’t improve on what you don’t measure”.
In fact, once these tools are purchased, installed, and operating, your organization may have spent
hundreds of thousands or even millions to confirm what you read in a press release or news stories -that 70 to 95% of corporate networks have malware.
The new technologies or tools didn’t tell you how to stop the malware, how to stop people from
clicking links, or stop zero day vulnerabilities from affecting your organization. The truth of the matter
is that you potentially just spent $1M to confirm what you suspected. While you’re more informed,
you’re likely no more secure then before you bought the tool. The question has shifted from “do I have
malware” to one focusing on the time or resources to investigate, mitigate, and contain the hundreds
or thousands of alerts you received from your recently purchased tool.
Detection tools
not only detect
malware, but they can
deliver hundreds or
thousands of alerts
and incidents that you
must address.
What’s your “Return on detection”? … Protection, right?
Take a quick look at how some leading tools can boost their “Return on detection” by looking at their detection capabilities and how adding
protection can close the loop.
Detection Tools like FireEye and SIEM are Important, but…
FireEye
The good news is that products like FireEye are very effective at detecting zero day attacks. The bad
news is these alerts include a lot of information for analysts to digest, and if you’re not prepared, the
volume of alerts can be overwhelming.
For example, one threat can have multiple binaries, multiple callback targets, and even multiple sources
for file downloads. Some alerts may be malicious, some may be benign. Either way, each suspected
malware infection, remote server connection, and potential callback warrants investigation.
This investigation requirement for Incident Response teams that can be overwhelming, but to gain
“Return on detection” from FireEye, you can’t just detect the threat, you must act to stop the threat
from spreading, doing more damage, and from exfiltrating data from your network. If a series of
threats hits a network, they may target multiple systems, drop or download hundreds of files, and take
dozens of actions that might be completely benign such as access a Microsoft domain or Twitter. Each
action or alert may require investigation to understand which actions in the attack are decoy tasks,
misdirections, aggressive evasive techniques, or false positives.
Keep in mind, however, that these FireEye alerts are just one of many from alert sources that
organizations use. These alerts are in addition to the alerts they already receive from their Firewalls,
Intrusion Detection Systems, and SIEM tools.
Whitepaper | Advanced Threat Detection: Necessary but Not Sufficient
SIEMs
Now Security Information and Event Management (SIEM)
tools such as HP ArcSight do a good job of detecting server
and network anomalies by aggregating machine and log data.
Despite the fact that they reduce the number of alerts from
millions of data points to thousands of potential threats, there’s
still a lot of information to digest from your SIEM. Combine
this with the reality that SIEM technology was not designed
to go deep into APT and threat data – customers tell us their
SIEMs are struggling to adapt to these new threats.
In fact, we’ve seen customers writing as many as 500 rules in
order to filter out the “noise” – yet they still required higher
fidelity alert information. Depending on the patience of the
business team auditing the ROI on the SIEM, “Return on
detection” can be more easily calculated if you add measures
that protect against threats reported by ArcSight.
Palo Alto Networks
Palo Alto Networks and other detection devices can generate a high number of critical alerts. One reaction is to lower the priority of the
alerts, and in doing so, risk filtering out a hidden DDoS or other attack. Others will let these alerts through to gain a better picture of
potential attacks on the network, but struggle through the manual investigation of the alerts.
The obvious problem is that if all the alerts are tracked and reported as critical, there could be a huge security breach, a misconfiguration, a
change in policy, or something else may be at work. Again, adding these detection tools reveals the extent that a network is under attack or
may be compromised. If you are under attack, the fastest way to “Return on detection” for you purchase may be a tool or system to protect
against reported threats.
3
Whitepaper | Advanced Threat Detection: Necessary but Not Sufficient
Detection tools running amok
To put this into better perspective, below is a chart of the wide number of tools and vendors you may have heard about or seen at RSA and
other security shows. Each vendor will take your money to detect problems or security threats on your network.
What most of these vendors won’t tell you is that if you detect a threat with their tools – it’s someone else’s job to contain the problem.
If your job involves detection, investigation, mitigation, and containment, you would have addressed the detection piece, but you haven’t
delivered a method to prove “Return on detection”, to fully justify the purchase of any of those detection tools.
Malware Detection
SIEM
Log Management &
Monitoring
You Might
Have a
Problem
How Do You Mitigate
and Respond?
Big Data Security
Analytics
Vulnerability & Risk
Management
4
Whitepaper | Advanced Threat Detection: Necessary but Not Sufficient
Detection ≠ Protection?
To summarize this point – the hidden tip you won’t hear from most security vendors is that new detection tools raise the awareness that
you’ve been breached, but unless you have a plan and ability to contain the threats you detect, you are not protected. Keep in mind that no
manager wants to spend millions on detection and only to need more for protection.
The new system
found 200 alerts!
Did you
contain the
threats?
No, but detection works!
Alert fragmentation
Alert heap spray
Alert Spyware
Alert CVE-1425
Alert Malware
Alert Malware
Alert Callback
Alert Callback
Alert Spyware
Alert Malware
Doh!
Then I
suggest you
get to work
on that!
Alert intrusion
Alert adware
Alert CVE-1428
Alert Unauthorized
Alert Malware
Alert Callback
Alert Callback
Alert Spyware
Alert Malware
Alert Login failure
Recommendations
When considering the purchase or introduction of any new detection technologies, ask the following questions:
1. If I purchase this detection system, will I see more security alerts?
2. If I see more security alerts, how much work is it to reduce the noisy alerts to the critical alerts?
3. Once I know which alerts are critical, how do I prioritize the alerts and contain the threat with this product?
4. How quickly can I take a security alert from this product and stop the threat that it finds?
5. What is the ROI of this product, and does this ROI include stopping detected threats?
The Proofpoint Solution
Proofpoint delivers best-of-breed products that encompass security analytics and response capabilities. Organizations without the time and
money to custom code both predictive analytics and response tools that leverage big data (over 1 billion URLs review a day) and applied
threat intelligence should consider the following products:
»»
Proofpoint Targeted Attack Protection (TAP) is a cloud-based security-as-a-service offering from Proofpoint that leverages Big
Data infrastructure and applies advanced predictive analytics and sandboxing techniques to detect and manage new forms of
attack including highly targeted and socially-engineered phishing attacks.
»»
Proofpoint Threat Response is a virtual appliance from Proofpoint that closes the gap between detection, verification, and
protection. It includes built-in indicator of compromise (IOC) verification, connectors to Proofpoint TAP and other threat sources,
and adapters to all major enforcement device vendors in a visually rich, yet elegant interface.
5
Whitepaper | Advanced Threat Detection: Necessary but Not Sufficient
Conclusions
Security vendors can push their products and solutions at conference, online, and other security shows, but it’s important that buyers
understand the potential hand waving and pitfalls for buying into the hype without deeper evaluations. “Advanced Threat Detection:
Necessary but not Sufficient” is the first tip in the “Blinded by the Hype Series”. Be sure to evaluate and purchase tools that allow you to
close the loop between detection and containment, so you both detect and stop the threats you find.
About Proofpoint
Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving & governance,
and secure communications. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system to protect against
phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information.
©Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners.
892 Ross Drive
Sunnyvale, CA 94089
1.408.517.4710
www.proofpoint.com
6