Home > Uncategorized > Advanced Persistent Threats (APTs): Part 2

Advanced Persistent Threats (APTs): Part 2

In my last posting I argued that traditional defense-in-depth strategies per se are not sufficient for an organization to be able going to be able to withstand the kinds of APTs that are currently plaguing us. I’d like to go on further with this theme, extending it to the types of security technologies that are available to us. In the past I’ve argued about the virtues of United Threat Management (UTM) technology from the standpoint that in UTM appliances the various functions (intrusion detection, intrusion prevention, application firewalling, and more) are at least aware of each other, and can thus potentially work more intelligently and cooperatively, as opposed to so-called point solutions.

I am not at all opposed to the UTM concept, but I fear that UTM technology as we currently know it is not well-suited to defending against APTs. Why? In my last posting I argued that traditional defense- in-depth models do not work very well against APTs if security controls within have too high a level of residual risk. Many barriers to attackers and malware may exist, but if a few of these barriers are easy to leap, so to speak, they provide little value against APTs. Ideally, each barrier should in contrast have a miniscule level of residual risk, presenting a formidable challenge to even the most persistent and advanced of attackers. But alas, today’s UTM technology is not characterized by a consistent low residual risk level for each security function. Instead, when you purchase and implement UTM technology, you get a set of functions, some of which may have low levels of residual risk, and others of which may have high levels of residual risk. You are once again at the mercy of the vendor. So a UTM product may have low residual risk associated with conventional and application firewalls, but may also have much higher layers of risk associated with say, intrusion prevention functionality. The result is an ineffective control in the defense-in-depth scheme, one that a clever and persistent attacker might very well be able to bypass or defeat to circumvent all of the other controls. If you do not believe this, please remember France’s Maginot Line in the late 1930s–it did virtually nothing to stop Germany’s advance upon France because other, less defended paths of advance were available.

Curiously, I have never seen any claim on the part of any UTM vendor that each security function within the UTM appliance is best-in-class. I may be missing something here, but perhaps I am not. I am sure that each UTM product vendor would love each UTM function within its product to be the best-in-class. But if you look at independent testing results, residual risk in UTMs as well as in other security products abounds.

APTs are for all purposes presently unstoppable, and much of the blame falls upon security technology vendors. Instead of producing best-in-class products, they too often freely use the “APT” acronym in their marketing strategies as a means of inciting fear in individuals who might not otherwise be inclined to buy their products. When confronted with results of independent testing that show that their products are not all that proficient in accomplishing what the vendors say they do, vendors often unjustly impugn the testing process used to produce the results and/or claim that the disappointing results for their product were due to the fact that an older version of their product was used in the tests. So much for all the snake oil. We need a massive amount of help from vendors if we are going to have a chance against APTs, but too many vendors are barking up the wrong tree, so to speak. Vendors need to pursue making products that are above everything else best-in-class. The sooner they do this, the more likely our systems, devices and networks) will be to resist APTs.

–Gene Schultz, Ph.D., CISSP, CISM, GSLC
Categories: Uncategorized Tags:
Comments are closed.