1.
I D C E X E C U T I V E B R I E F
Proactive Intelligence Gathering
for Enterprise Protection
August 2010
Adapted from Worldwide IT Security Products 2009–2013 Forecast and 2008 Vendor Shares:
Comprehensive Security Product Review by Brian E. Burke, Sally Hudson, Charles J. Kolodgy,
et al., IDC #221351
Sponsored by Symantec
Stay Ahead of Internet Threats to Protect Business-
Critical Information
Staying ahead of security threats will protect enterprise information
and infrastructure from falling victim to a cyber attack or data breach.
However, instead of leveraging a threat intelligence network, many
organizations are relying upon multiple security products to receive
notifications of new threats and their system vulnerabilities. Not
every security product is integrated with a threat intelligence network,
and in today's mobile environment, just one exposed confidential
asset or record could compromise a business. This Executive Brief
provides an overview of a more effective way to manage security
through the integration and analysis of the global threat landscape.
Cyber Attacks Narrow Their Focus
The need for corporate security has never been greater. The amount
of digital data — powered by globalization, Web access, new
techniques for data gathering and analysis, digital communications,
conversion from paper to digital processes, and increased regulatory
and legal requirements — continues to increase exponentially.
The increasing use of corporate email, Web email, instant messaging
(IM), peer to peer (P2P), and other channels for distributing data,
along with the proliferation of mobile devices that allow employees to
carry sensitive information outside the organization's boundaries,
makes securing information a substantial challenge.
In addition, the digital threat environment is rapidly changing — in
the motives of malware writers as well as in the vulnerabilities they
are targeting. A growing number of malicious programs are exploiting
security weaknesses in Internet browsers. An infected Web page, for
example, can exploit a site visitor's computer remotely without the
visitor even having to physically click on any links; a so-called
"drive-by" attack.
IDC_988

2.
As a result, security concerns are at an all-time high among
organizations seeking protection from a rash of spyware, Trojan
horses, worms, and other Web traffic–borne menaces. Also, newer
applications such as voice, storage networks, and emerging
information technologies such as VoIP and XML continue to create a
new set of requirements for protection.
Current economic conditions notwithstanding, the security market
continues to grow. IDC forecasts that this market will reach $37.8
billion in 2013, representing a compound annual growth rate of 9%.
IDC sees the following three key trends driving the IT security market:
• The largest security threat to enterprises lies within the
network. With access to a significant portion of the enterprise
resources, insiders — including current and past employees,
temporary workers, partners, and customers — may take
advantage of the organization's lack of security awareness to
gain access to enterprise data. Most companies do not have
visibility into who is accessing what in the network until after the
security breach has happened. Breaches continue to happen,
caused either by a disgruntled or soon-to-leave employee or an
outsider who compromises internal user rights to access
intellectual property and other data. Numerous instances are
available of individuals causing deliberate harm; leaking
confidential information of employees, customers, and enterprise
data; or harming enterprise resources.
• External hackers are exploiting insider ignorance. Social
engineering threats like spyware, phishing, and pharming gain
entry into the enterprise through the ignorance of insiders. It is
commonly recognized that security is as weak as the weakest
link in enterprise security. Through blended attacks that use
multiple methods, external attackers find that user ignorance is
the simplest route to enterprise data and resources. Further, as
financial gain takes precedence over other motives for attacks,
attacks themselves are consolidating into organized crime. Using
the trust users have established with colleagues and
acquaintances, attackers begin with compromising insider
targets and then, through these contacts, extend the attack to
other users. Examples include phishing attacks via social
networking sites, instant messaging, and hosted email services;
targeted emails to executives; and global event–related spam. In
targeting the users, attackers are using publicly available
vulnerability information and freely available rootkits, launching
small attacks that change patterns rapidly to escape traditional
security radars. In addition, hackers typically use multiple
methods to reach the insider, necessitating the deployment of
multiple security solutions. Deploying multiple solutions comes at
a high cost and brings with it the possibility of security
mismanagement due to the complexity in managing the
solutions. Further, traditional security solutions, which rely on the
magnitude of the attack to detect it, are likely to fall short.
Proactive security based on real-time global events — i.e., threat
intelligence — is necessary to meet these threats.
2 ©2010 IDC

3.
• Regulatory compliance continues to add even greater
pressure to protect sensitive data and document those
security measures. Given the magnitude of threats to
employee, customer, and corporate data, compliance regulations
like HIPAA, GLBA, SOX, PCI, and others are forcing enterprises
to undertake security measures that control the access and
activity of users. Faced with penalties in case of noncompliance
or loss of reputation in case of data loss, enterprises are under
pressure to implement compliance measures within the
enterprise. Compliance regulations are forcing organizations to
have more network access controls with increased levels of
network monitoring and reporting. The volume of information
produced by existing systems is fast becoming too confusing and
too much to handle for policy enforcers and auditors.
Organizations Can No Longer Ignore Blind Spots
As a result of the previously mentioned trends, enterprises and
organizations are deploying a myriad of security technologies to
defend against ever-increasing threats. But all of these security
products add complexity to the security infrastructure.
To manage the growth in security, organizations are turning to
security and vulnerability management (SVM) solutions to provide
them with intelligence to make security more effective as well as to
document their efforts for compliance. This is why the SVM market
continues to grow at double-digit rates and IDC predicts that it will
exceed $4.4 billion in 2013.
The security and vulnerability management market encompasses
two separate but symbiotic segments — security management and
vulnerability assessment. These two markets can stand alone, but
they also have considerable overlap in how they are used by
enterprises.
• Security management products, consisting of tools that
provide organizations with the ability to create security policy that
drives both business and security initiatives, allow for
measurement and reporting of the security posture and,
ultimately, provide methods for correcting security shortcomings.
These tools include the following:
Proactive endpoint risk management (PERM) solutions
automate or semiautomate the enforcement of security
policy and configuration management on endpoints.
Forensics and incident investigation solutions capture
and store real-time network and device data and identify how
business assets are affected by network exploits, internal
data theft, and security or HR policy violations.
Policy and compliance solutions enable organizations to
create, measure, and report on security policy and regulatory
compliance.
©2010 IDC 3

4.
Security information and event management (SIEM)
solutions include software designed to aggregate data from
multiple sources to identify patterns of events that might
signify attacks, intrusions, misuse, or failure.
Security systems and configuration management
(SSCM) solutions are primarily systems management
products that monitor and report on the status of perimeter
security products.
• Vulnerability assessment (VA) products, on the other hand,
are batch-level solutions that scan servers, workstations, other
devices, and applications to uncover security vulnerabilities. The
scan information is compared with a database of known security
holes (vulnerabilities) to determine the threat status of the device
or application.
More sophisticated VA products can test for unknown
vulnerabilities by mimicking common attack profiles to see if a
device or an application can be penetrated. For example,
penetration testing is an advanced capability that allows
organizations to safely exploit vulnerabilities by replicating the
kinds of access an intruder could achieve and providing actual
paths of attacks that must be eliminated. Penetration testing,
when used in conjunction with vulnerability scanning, reduces
the number of false positives.
Vulnerability assessment products include the following:
Device vulnerability assessment products that use either
network- or host-based scanners to look into a device to
determine its security vulnerabilities
Application scanners that test the robustness of an
application or software to resist attacks — both specific
attacks and attacks based on hacking techniques
Threat Intelligence: Identify High-Priority Threats
Managing cyber attacks is like securing a border between two large
countries. It is not physically possible to secure the entire border, just
as it's impossible to secure an enterprise network at every entrance
point or user interface. The key to success is using real-time, global
event intelligence to target logical attack points or create alerts when
non-normal activity occurs.
The goal of threat intelligence is to help IT analyze and, therefore,
prioritize and better handle cyber security threats. Security products
with threat intelligence help IT sort through the vast amount of
information generated about user access, network traffic, database
access, and application use to isolate actual or potential threats.
This enables IT to focus on either solving security problems as they
occur or preventing them based on historical data captured by security
4 ©2010 IDC

5.
tools. Threat intelligence is based on a simple principle: "If you don't
know what's out there, how do you know what to watch for?" If security
products are integrated with a global intelligence network when there
is a malicious attack affecting companies or consumers around the
world, IT managers would know about it before it hits their enterprise.
These products can block the attack or recommend how to protect
against it to keep it from affecting the business.
Just as business intelligence tools can be set to find specific points
of information in huge volumes of data, products integrated with
threat intelligence can be set to identify vulnerabilities across
application, network, and data access and use. Similarly, threat
intelligence solutions can be linked with databases of known threats
to automate the process of updating security tools such as firewalls,
virus software, etc. In addition, exceptions to normal usage patterns,
often a sign of new or new types of attacks, can be targeted for alerts
for further analysis by the software or an administrator.
A major advantage of threat intelligence is that it increases the
efficiency of IT security staff. By identifying high-priority threats, staff
can focus on real problems instead of false alarms or those that
typically can be handled by software tools already in place. In
addition, threat intelligence brings the concept of intelligent process
automation to enterprise security.
Intelligent process automation, deployed through business
intelligence tools, uses information to link complex business
operations and processes. From a security standpoint, threat
intelligence automates the links between information generated by
security solutions and associated management tools with business
goals and processes. With threat intelligence, repeatable decisions,
such as virus prevention, can be automated according to preset
policies. Similarly, threat intelligence tools using transaction
monitoring or continuous data integration combined with user
profiling can speed up the decision-making process for handling
event-driven security issues, like internal or external attacks.
Advanced threat analytics can be used to create security decision
workflow and enable predictive modeling to evaluate response
alternatives or test potential threats and complete risk assessments.
New processes and procedures to reduce risk can be created with
the information, enabling the organization to create a security
environment that evolves as threats evolve. Threat intelligence can
place the right information in the right hands at the right time for
optimal response.
Finally, threat intelligence solutions can support an enterprise's
regulatory and compliance needs. The collection of security data and
its analysis, combined with a record of how security breaches are
handled, creates a log documenting timely monitoring and response,
a critical component of regulations like HIPAA, GLBA, SOX, PCI, and
others. Security information and event management is critical to
providing a consolidated protection profile to security analysts,
managers, and auditors alike.
©2010 IDC 5

6.
Get the Data Hackers Don't Want You to Have
Enterprises and organizations continue to deploy a vast array of
security technologies to defend against ever-increasing threats.
Unfortunately, many of these security products are not integrated
with a threat intelligence network. To successfully defend against the
cyber attacks described in this paper, organizations need real-time
threat intelligence as a critical component of their security strategy.
Threat intelligence can help enterprises interpret the global threat
landscape and help apply that information to define appropriate
security architectures to meet strategic objectives. It also can help
organizations assess security measures from both technical and
business perspectives, integrating the array of vulnerability,
penetration, and threat assessments with a review of policies,
controls, management, and compliance goals.
Further, threat intelligence can help organizations continually
analyze and review network, system, and application architectures
from a security standpoint to defend against the most business-
critical, advanced, and persistent threats. Threat intelligence can
also help IT staff prioritize threats and associated responses by
providing essential information about where the threats are
originating and best practices for decision making. By capturing
information on threats and related incident response, threat
intelligence can help organizations keep records for compliance and
for continuous improvement of security measures and policies.
Threat intelligence is the fastest, most effective approach to helping
enterprises manage security information. Like traditional business
intelligence, threat intelligence helps organizations better use data to
improve business processes — in this case, enterprise security. With
the increasing number of assaults on enterprises through global
networks, the Internet, and so forth, combined with the greater
dependence on data as a competitive advantage, organizations need
every advantage they can get.
C O P Y R I G H T N O T I C E
The analyst opinion, analysis, and research results presented in this
IDC Executive Brief are drawn directly from the more detailed studies
published in IDC Continuous Intelligence Services. Any IDC information
that is to be used in advertising, press releases, or promotional
materials requires prior written approval from IDC. Contact IDC Go-to-
Market Services at gms@idc.com or the GMS information line at 508-
988-7610 to request permission to quote or source IDC or for more
information on IDC Executive Briefs. Visit www.idc.com to learn more
about IDC subscription and consulting services or www.idc.com/gms to
learn more about IDC Go-to-Market Services.
Copyright 2010 IDC. Reproduction is forbidden unless authorized.
6 ©2010 IDC