Protective Intelligence


Published on

Protective Intelligence. A look around the corners and over the horizon.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protective Intelligence

  1. 1. I D C E X E C U T I V E B R I E F Proactive Intelligence Gathering for Enterprise Protection August 2010 Adapted from Worldwide IT Security Products 2009–2013 Forecast and 2008 Vendor Shares: Comprehensive Security Product Review by Brian E. Burke, Sally Hudson, Charles J. Kolodgy, et al., IDC #221351 Sponsored by Symantec Stay Ahead of Internet Threats to Protect Business- Critical Information Staying ahead of security threats will protect enterprise information and infrastructure from falling victim to a cyber attack or data breach. However, instead of leveraging a threat intelligence network, many organizations are relying upon multiple security products to receive notifications of new threats and their system vulnerabilities. Not every security product is integrated with a threat intelligence network, and in today's mobile environment, just one exposed confidential asset or record could compromise a business. This Executive Brief provides an overview of a more effective way to manage security through the integration and analysis of the global threat landscape. Cyber Attacks Narrow Their Focus The need for corporate security has never been greater. The amount of digital data — powered by globalization, Web access, new techniques for data gathering and analysis, digital communications, conversion from paper to digital processes, and increased regulatory and legal requirements — continues to increase exponentially. The increasing use of corporate email, Web email, instant messaging (IM), peer to peer (P2P), and other channels for distributing data, along with the proliferation of mobile devices that allow employees to carry sensitive information outside the organization's boundaries, makes securing information a substantial challenge. In addition, the digital threat environment is rapidly changing — in the motives of malware writers as well as in the vulnerabilities they are targeting. A growing number of malicious programs are exploiting security weaknesses in Internet browsers. An infected Web page, for example, can exploit a site visitor's computer remotely without the visitor even having to physically click on any links; a so-called "drive-by" attack. IDC_988
  2. 2. As a result, security concerns are at an all-time high among organizations seeking protection from a rash of spyware, Trojan horses, worms, and other Web traffic–borne menaces. Also, newer applications such as voice, storage networks, and emerging information technologies such as VoIP and XML continue to create a new set of requirements for protection. Current economic conditions notwithstanding, the security market continues to grow. IDC forecasts that this market will reach $37.8 billion in 2013, representing a compound annual growth rate of 9%. IDC sees the following three key trends driving the IT security market: • The largest security threat to enterprises lies within the network. With access to a significant portion of the enterprise resources, insiders — including current and past employees, temporary workers, partners, and customers — may take advantage of the organization's lack of security awareness to gain access to enterprise data. Most companies do not have visibility into who is accessing what in the network until after the security breach has happened. Breaches continue to happen, caused either by a disgruntled or soon-to-leave employee or an outsider who compromises internal user rights to access intellectual property and other data. Numerous instances are available of individuals causing deliberate harm; leaking confidential information of employees, customers, and enterprise data; or harming enterprise resources. • External hackers are exploiting insider ignorance. Social engineering threats like spyware, phishing, and pharming gain entry into the enterprise through the ignorance of insiders. It is commonly recognized that security is as weak as the weakest link in enterprise security. Through blended attacks that use multiple methods, external attackers find that user ignorance is the simplest route to enterprise data and resources. Further, as financial gain takes precedence over other motives for attacks, attacks themselves are consolidating into organized crime. Using the trust users have established with colleagues and acquaintances, attackers begin with compromising insider targets and then, through these contacts, extend the attack to other users. Examples include phishing attacks via social networking sites, instant messaging, and hosted email services; targeted emails to executives; and global event–related spam. In targeting the users, attackers are using publicly available vulnerability information and freely available rootkits, launching small attacks that change patterns rapidly to escape traditional security radars. In addition, hackers typically use multiple methods to reach the insider, necessitating the deployment of multiple security solutions. Deploying multiple solutions comes at a high cost and brings with it the possibility of security mismanagement due to the complexity in managing the solutions. Further, traditional security solutions, which rely on the magnitude of the attack to detect it, are likely to fall short. Proactive security based on real-time global events — i.e., threat intelligence — is necessary to meet these threats. 2 ©2010 IDC
  3. 3. • Regulatory compliance continues to add even greater pressure to protect sensitive data and document those security measures. Given the magnitude of threats to employee, customer, and corporate data, compliance regulations like HIPAA, GLBA, SOX, PCI, and others are forcing enterprises to undertake security measures that control the access and activity of users. Faced with penalties in case of noncompliance or loss of reputation in case of data loss, enterprises are under pressure to implement compliance measures within the enterprise. Compliance regulations are forcing organizations to have more network access controls with increased levels of network monitoring and reporting. The volume of information produced by existing systems is fast becoming too confusing and too much to handle for policy enforcers and auditors. Organizations Can No Longer Ignore Blind Spots As a result of the previously mentioned trends, enterprises and organizations are deploying a myriad of security technologies to defend against ever-increasing threats. But all of these security products add complexity to the security infrastructure. To manage the growth in security, organizations are turning to security and vulnerability management (SVM) solutions to provide them with intelligence to make security more effective as well as to document their efforts for compliance. This is why the SVM market continues to grow at double-digit rates and IDC predicts that it will exceed $4.4 billion in 2013. The security and vulnerability management market encompasses two separate but symbiotic segments — security management and vulnerability assessment. These two markets can stand alone, but they also have considerable overlap in how they are used by enterprises. • Security management products, consisting of tools that provide organizations with the ability to create security policy that drives both business and security initiatives, allow for measurement and reporting of the security posture and, ultimately, provide methods for correcting security shortcomings. These tools include the following: Proactive endpoint risk management (PERM) solutions automate or semiautomate the enforcement of security policy and configuration management on endpoints. Forensics and incident investigation solutions capture and store real-time network and device data and identify how business assets are affected by network exploits, internal data theft, and security or HR policy violations. Policy and compliance solutions enable organizations to create, measure, and report on security policy and regulatory compliance. ©2010 IDC 3
  4. 4. Security information and event management (SIEM) solutions include software designed to aggregate data from multiple sources to identify patterns of events that might signify attacks, intrusions, misuse, or failure. Security systems and configuration management (SSCM) solutions are primarily systems management products that monitor and report on the status of perimeter security products. • Vulnerability assessment (VA) products, on the other hand, are batch-level solutions that scan servers, workstations, other devices, and applications to uncover security vulnerabilities. The scan information is compared with a database of known security holes (vulnerabilities) to determine the threat status of the device or application. More sophisticated VA products can test for unknown vulnerabilities by mimicking common attack profiles to see if a device or an application can be penetrated. For example, penetration testing is an advanced capability that allows organizations to safely exploit vulnerabilities by replicating the kinds of access an intruder could achieve and providing actual paths of attacks that must be eliminated. Penetration testing, when used in conjunction with vulnerability scanning, reduces the number of false positives. Vulnerability assessment products include the following: Device vulnerability assessment products that use either network- or host-based scanners to look into a device to determine its security vulnerabilities Application scanners that test the robustness of an application or software to resist attacks — both specific attacks and attacks based on hacking techniques Threat Intelligence: Identify High-Priority Threats Managing cyber attacks is like securing a border between two large countries. It is not physically possible to secure the entire border, just as it's impossible to secure an enterprise network at every entrance point or user interface. The key to success is using real-time, global event intelligence to target logical attack points or create alerts when non-normal activity occurs. The goal of threat intelligence is to help IT analyze and, therefore, prioritize and better handle cyber security threats. Security products with threat intelligence help IT sort through the vast amount of information generated about user access, network traffic, database access, and application use to isolate actual or potential threats. This enables IT to focus on either solving security problems as they occur or preventing them based on historical data captured by security 4 ©2010 IDC
  5. 5. tools. Threat intelligence is based on a simple principle: "If you don't know what's out there, how do you know what to watch for?" If security products are integrated with a global intelligence network when there is a malicious attack affecting companies or consumers around the world, IT managers would know about it before it hits their enterprise. These products can block the attack or recommend how to protect against it to keep it from affecting the business. Just as business intelligence tools can be set to find specific points of information in huge volumes of data, products integrated with threat intelligence can be set to identify vulnerabilities across application, network, and data access and use. Similarly, threat intelligence solutions can be linked with databases of known threats to automate the process of updating security tools such as firewalls, virus software, etc. In addition, exceptions to normal usage patterns, often a sign of new or new types of attacks, can be targeted for alerts for further analysis by the software or an administrator. A major advantage of threat intelligence is that it increases the efficiency of IT security staff. By identifying high-priority threats, staff can focus on real problems instead of false alarms or those that typically can be handled by software tools already in place. In addition, threat intelligence brings the concept of intelligent process automation to enterprise security. Intelligent process automation, deployed through business intelligence tools, uses information to link complex business operations and processes. From a security standpoint, threat intelligence automates the links between information generated by security solutions and associated management tools with business goals and processes. With threat intelligence, repeatable decisions, such as virus prevention, can be automated according to preset policies. Similarly, threat intelligence tools using transaction monitoring or continuous data integration combined with user profiling can speed up the decision-making process for handling event-driven security issues, like internal or external attacks. Advanced threat analytics can be used to create security decision workflow and enable predictive modeling to evaluate response alternatives or test potential threats and complete risk assessments. New processes and procedures to reduce risk can be created with the information, enabling the organization to create a security environment that evolves as threats evolve. Threat intelligence can place the right information in the right hands at the right time for optimal response. Finally, threat intelligence solutions can support an enterprise's regulatory and compliance needs. The collection of security data and its analysis, combined with a record of how security breaches are handled, creates a log documenting timely monitoring and response, a critical component of regulations like HIPAA, GLBA, SOX, PCI, and others. Security information and event management is critical to providing a consolidated protection profile to security analysts, managers, and auditors alike. ©2010 IDC 5
  6. 6. Get the Data Hackers Don't Want You to Have Enterprises and organizations continue to deploy a vast array of security technologies to defend against ever-increasing threats. Unfortunately, many of these security products are not integrated with a threat intelligence network. To successfully defend against the cyber attacks described in this paper, organizations need real-time threat intelligence as a critical component of their security strategy. Threat intelligence can help enterprises interpret the global threat landscape and help apply that information to define appropriate security architectures to meet strategic objectives. It also can help organizations assess security measures from both technical and business perspectives, integrating the array of vulnerability, penetration, and threat assessments with a review of policies, controls, management, and compliance goals. Further, threat intelligence can help organizations continually analyze and review network, system, and application architectures from a security standpoint to defend against the most business- critical, advanced, and persistent threats. Threat intelligence can also help IT staff prioritize threats and associated responses by providing essential information about where the threats are originating and best practices for decision making. By capturing information on threats and related incident response, threat intelligence can help organizations keep records for compliance and for continuous improvement of security measures and policies. Threat intelligence is the fastest, most effective approach to helping enterprises manage security information. Like traditional business intelligence, threat intelligence helps organizations better use data to improve business processes — in this case, enterprise security. With the increasing number of assaults on enterprises through global networks, the Internet, and so forth, combined with the greater dependence on data as a competitive advantage, organizations need every advantage they can get. C O P Y R I G H T N O T I C E The analyst opinion, analysis, and research results presented in this IDC Executive Brief are drawn directly from the more detailed studies published in IDC Continuous Intelligence Services. Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. Contact IDC Go-to- Market Services at or the GMS information line at 508- 988-7610 to request permission to quote or source IDC or for more information on IDC Executive Briefs. Visit to learn more about IDC subscription and consulting services or to learn more about IDC Go-to-Market Services. Copyright 2010 IDC. Reproduction is forbidden unless authorized. 6 ©2010 IDC