Preventing known threats is the bread and butter of almost every security solution. Stopping viruses, blocking dodgy macros, black-listing unauthorised web sites and banning non-essential applications are all tried and true tactics to keep adversaries out of your client’s networks. But what about advanced persistent threats and previously unknown attacks that can evade straightforward detection, use previously unseen (or zero-day) malware, exploit vulnerabilities (unpatched security holes) or come from brand-new or seemingly innocent hosting URLs and IPs?
Their goal is to compromise their target system with advanced code techniques to circumvent security barriers and stay under the radar as long as possible. They also include a high degree of social engineering to fool even the most security-conscious end users.
Firewall not enough
With advanced threats like these rapidly increasing in number and sophistication, a perimeter firewall is no longer enough. To add another layer of defence, advanced threat protection detects unknown exploits coming into your client’s network, performs dynamic analysis to identify the risk and counters the threat with preventive controls within the network itself, thereby mitigating the damage.
“The reality is that malware creators are well aware of all forms of security technology,” says Andrew Khan, Fortinet Senior Business Manager at Ingram Micro, New Zealand’s largest and most experienced distributor of Fortinet’s cyber security solutions. “These attackers build disguises and use advanced evasion techniques in hope of bypassing security tools to successfully deliver their malware. There are the adversaries that can cause the most damage.”
“Detection comes down to inspecting as many layers as possible through all potential angles of attack,” continues Khan. “The best approach is a combination of proactive threat prevention, such as Fortinet’s Content Pattern Recognition Language (CPRL), to stop as many threats as possible, while still leveraging those advanced technologies - such as sandboxing - to uncover sophisticated custom attacks. Further, tying prevention to advanced detection as a seamless solution to cover all potential attack vectors and facilitate incident response is key.”
The most effective defence is founded on a cohesive and extensible protection framework that extends from the cloud – including AWS and Microsoft Azure - to the data centre and all the way through to the end user device. This framework – such as Fortinet’s Security Fabric - incorporates current security capabilities, emerging technologies and a customised learning mechanism that creates and distributes actionable security intelligence from newly detected threats in real-time.
The five key components for ATP
There are five critical components to advanced threat protection:
These components, working in concert and kept current, can go a long way in protecting your client’s networks, data and reputations.
Access control reduces the attack surface by forcing all users and traffic through established inspection points running appropriate threat prevention and detection technologies. Solutions include layer 2/3 firewalls, patch management and two-factor authentication. Keep in mind that these technologies are less effective when deployed in silos. A security-centric infrastructure with a hardened OS provides pervasive security.
Threat prevention stops malware before it enters the network. Most attacks utilise modified versions of known malware to bypass content-oriented inspection. Threat prevention technologies - such as intrusion prevention, application control, web/email filtering and anti-virus/spam - keep the windows and doors shut. Proactive solutions, typically subscription-based services, can identify and stop most malware.
If your clients do detect a threat - or even suspect that their perimeters have been breached - they need to take immediate action. For instance, IT managers can sandbox objects in a contained environment to isolate threats. Similarly, botnet detection uncovers communication patterns indicating botnet activity.
If a security event occurs, incident response actions kick in to validate and contain the threat. All components, including those deployed for detection and prevention, need to work in concert for fast response and corrective action.
Containment and response leads into continuous monitoring for ongoing assessments and audits. These activities identify and specify the effectiveness of an organisation’s security, the state of security amongst their peers and the continued evolution in the threat landscape.
If you provide these five components as part of Fortinet’s Security Fabric, you’ll be going a long way to helping your clients keep their data safe and their reputations intact. Not to mention that you’ll be their preferred security supplier for the foreseeable future.
Andrew Khan, Senior Business Manager
M: 021 819 793
James Meuli, Solutions Architect
M: 0275 520 167
Hugo Hutchinson, Business Development Manager
P: 09 414 0261 | M: 021 245 8276