SlideShare a Scribd company logo

APT Monitoring and Compliance

Marcus Clarke, profile picture
Marcus Clarke

The document discusses trends in compliance monitoring and automation, emphasizing the need for comprehensive visibility over network activities to mitigate risks from advanced persistent threats (APTs). It explores the challenges of identifying threats in both visible and hidden contexts, highlighting the importance of monitoring unknown activities and building situational awareness. The conclusion stresses that effective risk management and compliance automation are critical for operational longevity, especially in an era with increasing unknown threats.

1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Trends in Compliance MonitoringCompliance AutomationHow does it work and what are the benefits?Presented by Marcus ClarkeMeridian Group
Light and Darkness on theStreetIf you lose your car keys at night, do you look only under the streetlights? 2© Meridian Group Inc. 2010
Light and Darkness on theStreetIf you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them?3© Meridian Group Inc. 2010
Light and Darkness on IT StreetIf you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them?Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything?4© Meridian Group Inc. 2010
Light and Darkness on IT StreetIf you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them?Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything?No. Not only do we have to look under the lights, but we also have to grope around in the dark. 5© Meridian Group Inc. 2010
Pattern vs. BehaviorIn the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus.6© Meridian Group Inc. 2010
Pattern vs. BehaviorIn the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus.In the dark, immediate visual recognition is no longer possible. Using all our senses, we must observe behavior and assemble clues over time to deduce the presence of the threat we cannot see. 7© Meridian Group Inc. 2010
Clarke Threat Matrix8© Meridian Group Inc. 2010
“Black Swans”A highly improbable, unanticipated event that carries great impact. Ofteninduces ‘expert’ rationalization in hindsight. Frequently associated with ‘experts’ confusing the absence of evidence as evidence of absence. Unseen danger lurks…While typically a risk management issue, Black Swan events can suddenly expose weaknesses in compliance strategy. 9© Meridian Group Inc. 2010
Our street lighting just isn’t the same as it once was.Aggregate infection potential of network compromise based on a network of 100 Windows PCs secure using ‘best practice’ malware defenses © Meridian Group Inc. 201010
Advanced Persistent Threats (APT)Advanced – Opportunistic operation using the full spectrum of computer intrusion. Designed to actively resist detection and eradication attempts.Persistent – Maximizes control of the target computer by elevating privilege to preserve or regain control and access. Threat – Act as a ‘launch platform’ for a wide variety of malicious activity such as attacks, data theft, extortion and destruction.11© Meridian Group Inc. 2010
© Meridian Group Inc. 201012
Anatomy of a Known APT operation…The primary detectable evidence of APT infection is the traffic to the Command and Control (CnC) servers. This channel is also used to download new code.Almost all APTs use HTTPS to encrypt CnC traffic to ensure egress and avoid inspection.Use techniques such as Domain Fluxing to obfuscate CnC host identification and location13© Meridian Group Inc. 2010
Strategic PrioritiesCurrently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.14© Meridian Group Inc. 2010
Strategic PrioritiesCurrently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect.15© Meridian Group Inc. 2010
Strategic PrioritiesCurrently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect.Black Swan exploits are specifically unknowable without prior knowledge, but consequences can’t be ignored. Business Continuity planning.16© Meridian Group Inc. 2010
17© Meridian Group Inc. 2010
18© Meridian Group Inc. 2010
APT Defense is Possible Requires prior knowledge of common APT behavior. Have to know what to look for – for example periodic CnC traffic.Works very well for popular APT toolkits such as Zeus, so effective for vast majority of current APTs.Accept that defense today occurs after the fact. Sooner is better. Immediate is best.19© Meridian Group Inc. 2010
20© Meridian Group Inc. 2010
21© Meridian Group Inc. 2010
22© Meridian Group Inc. 2010
23© Meridian Group Inc. 2010
24© Meridian Group Inc. 2010
25© Meridian Group Inc. 2010
1. Monitoring Unidentifiable ActivityWhile a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy.26© Meridian Group Inc. 2010
1. Monitoring Unidentifiable ActivityWhile a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy.Understanding probable intent provides us withdefensive knowledge. For example, a threat with the intent of ‘owning’ machine will likely be indicated by new processes or registry changes.27© Meridian Group Inc. 2010
2. Making sense of unidentifiable activityMonitor all possible network activity by using technology that reports everything it does.28© Meridian Group Inc. 2010
2. Making sense of unidentifiable activityMonitor all possible network activity by using technology that reports everything it does.Use available technology to autonomously identify, and block or quarantine suspect activity. 29© Meridian Group Inc. 2010
2. Making sense of unidentifiable activityMonitor all possible network activity by using technology that reports everything it does.Use available technology to autonomously identify, and block or quarantine suspect activity. Use available technology to aggregate, normalize and intelligently correlate diverse data. ‘Short-list’ any remaining suspect activity for further investigation and forensic analysis.30© Meridian Group Inc. 2010
3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.31© Meridian Group Inc. 2010
3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.Perform near real-time analysis on data streams to alert on suspect activity.32© Meridian Group Inc. 2010
3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.Perform near real-time analysis on data streams to alert on suspect activity.Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives.33© Meridian Group Inc. 2010
3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.Perform near real-time analysis on data streams to alert on suspect activity.Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives.Provide forensic search capabilities on very large sets of raw data. 34© Meridian Group Inc. 2010
35© Meridian Group Inc. 2010
4. Compliance AutomationMonitor and map detailed real-time event, configuration, asset and vulnerability data to corresponding sections in the underlying compliance policy.Provide standard and ad-hoc reporting of Compliance over any time frame.Support manual attestation of process controls associated with compliance.36© Meridian Group Inc. 2010
37© Meridian Group Inc. 2010
ConclusionIn the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. 38© Meridian Group Inc. 2010
ConclusionIn the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology.39© Meridian Group Inc. 2010
ConclusionIn the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology.Business Continuity and Disaster Recovery planning are more important than ever. Don’t get ‘too big to fail.’ Look at New Orleans.40© Meridian Group Inc. 2010
Thank you!Marcus Clarkemclarke@ipkey.com505-243-1010
Unknown APT Defense“Build visibility in one’s organization to provide the situational awareness to have a chance to discover, and hopefully frustrate APT activities.” “Without information from the network, hosts, logs and other sources, even the most skilled analyst is helpless. Most security shops should be pursuing such programs already.”42© Meridian Group Inc. 2010
IT Security is undergoing a ‘Sea-Change’Huge investment in signature-based malware detection and prevention systems (AV, IDS)This status quo becoming marginalized as conventional malware is supplanted by botnet agents and other Advanced Persistent Threats (APTs).Infection vectors shifting from file based to web based, requiring rigorous Application Control mechanisms.43© Meridian Group Inc. 2010
…and no-one wantsto hear thisExecutives don’t want to hear how much more time and money the changes in today’s IT Security takes.IT Professionals don’t want to hear that most of their defensive technology and skills are obsolete.44© Meridian Group Inc. 2010

More Related Content

PDF
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
Edward Johnson
 
PDF
Healthcare It Security Necessity Wp101118
Erik Ginalick
 
PPTX
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
PDF
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
PDF
Alien vault sans cyber threat intelligence
AlienVault
 
PPTX
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
PDF
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
PDF
Corporate threat vector and landscape
yohansurya2
 
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
Edward Johnson
 
Healthcare It Security Necessity Wp101118
Erik Ginalick
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
Alien vault sans cyber threat intelligence
AlienVault
 
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
Corporate threat vector and landscape
yohansurya2
 

What's hot (20)

PDF
Security Incident Response Readiness Survey
Rahul Neel Mani
 
PDF
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
PDF
Darktrace white paper_ics_final
CMR WORLD TECH
 
PDF
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
FireEye, Inc.
 
PDF
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
PPT
Layered Approach - Information Security Recommendations
Michael Kaishar, MSIA | CISSP
 
DOCX
Dhishant -Latest Resume
Dhishant Abrol
 
PDF
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
PDF
Security operations center 5 security controls
AlienVault
 
PPTX
Managed Security Operations Centre Alternative - Managed Security Service
Netpluz Asia Pte Ltd
 
PDF
The Top 20 Cyberattacks on Industrial Control Systems
Muhammad FAHAD
 
PDF
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
PPTX
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
PPTX
Healthcare info tech systems cyber threats ABI conference 2016
Amgad Magdy
 
PPTX
The Board and Cyber Security
FireEye, Inc.
 
PPTX
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
PDF
Webinar - Reducing the Risk of a Cyber Attack on Utilities
WPICPE
 
PPTX
Operationalizing Security Intelligence
Splunk
 
PPTX
Alienvault threat alerts in spiceworks
AlienVault
 
PPTX
ISACA ISSA Presentation
Marc Crudgington, MBA
 
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Darktrace white paper_ics_final
CMR WORLD TECH
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
FireEye, Inc.
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
Layered Approach - Information Security Recommendations
Michael Kaishar, MSIA | CISSP
 
Dhishant -Latest Resume
Dhishant Abrol
 
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
Security operations center 5 security controls
AlienVault
 
Managed Security Operations Centre Alternative - Managed Security Service
Netpluz Asia Pte Ltd
 
The Top 20 Cyberattacks on Industrial Control Systems
Muhammad FAHAD
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Healthcare info tech systems cyber threats ABI conference 2016
Amgad Magdy
 
The Board and Cyber Security
FireEye, Inc.
 
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
WPICPE
 
Operationalizing Security Intelligence
Splunk
 
Alienvault threat alerts in spiceworks
AlienVault
 
ISACA ISSA Presentation
Marc Crudgington, MBA
 
Ad

Similar to APT Monitoring and Compliance (20)

PPTX
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
PPTX
Information security for business majors
Paul Melson
 
PDF
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
PPTX
Insider threat v3
Lancope, Inc.
 
PPT
NetWitness
TechBiz Forense Digital
 
PDF
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
PPTX
2013 Data Protection Maturity Trends: How Do You Compare?
Lumension
 
PPT
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PDF
Demonstrating Information Security Program Effectiveness
Doug Copley
 
PDF
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
PDF
200606_NWC_Strategic Security
Chad Korosec
 
PDF
Data Security Metricsa Value Based Approach
Flaskdata.io
 
PPTX
APT or not - does it make a difference if you are compromised?
Thomas Malmberg
 
PDF
10 Tips to Strengthen Your Insider Threat Program
Dtex Systems
 
PDF
Selling Data Security Technology
Flaskdata.io
 
PDF
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...
Dana Gardner
 
PDF
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Michael Davis
 
PPT
Security metrics 2
Manish Kumar
 
PPTX
Securing Systems - Still Crazy After All These Years
Adrian Sanabria
 
PPT
Security.ppt
ssuser50c54b
 
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
Information security for business majors
Paul Melson
 
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
Insider threat v3
Lancope, Inc.
 
NetWitness
TechBiz Forense Digital
 
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
2013 Data Protection Maturity Trends: How Do You Compare?
Lumension
 
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Demonstrating Information Security Program Effectiveness
Doug Copley
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
200606_NWC_Strategic Security
Chad Korosec
 
Data Security Metricsa Value Based Approach
Flaskdata.io
 
APT or not - does it make a difference if you are compromised?
Thomas Malmberg
 
10 Tips to Strengthen Your Insider Threat Program
Dtex Systems
 
Selling Data Security Technology
Flaskdata.io
 
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...
Dana Gardner
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Michael Davis
 
Security metrics 2
Manish Kumar
 
Securing Systems - Still Crazy After All These Years
Adrian Sanabria
 
Security.ppt
ssuser50c54b
 
Ad

APT Monitoring and Compliance

  • 1. Trends in Compliance MonitoringCompliance AutomationHow does it work and what are the benefits?Presented by Marcus ClarkeMeridian Group
  • 2. Light and Darkness on theStreetIf you lose your car keys at night, do you look only under the streetlights? 2© Meridian Group Inc. 2010
  • 3. Light and Darkness on theStreetIf you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them?3© Meridian Group Inc. 2010
  • 4. Light and Darkness on IT StreetIf you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them?Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything?4© Meridian Group Inc. 2010
  • 5. Light and Darkness on IT StreetIf you lose your car keys at night, do you look only under the streetlights? Do you get down on your hands and knees and feel around for them?Durable monitoring for Compliance and Risk Management requires that we look at everything that’s happening on our networks. But can we see everything?No. Not only do we have to look under the lights, but we also have to grope around in the dark. 5© Meridian Group Inc. 2010
  • 6. Pattern vs. BehaviorIn the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus.6© Meridian Group Inc. 2010
  • 7. Pattern vs. BehaviorIn the light, we can immediately recognize the visual pattern of a threat. This is similar to being able to immediately recognize the signature (pattern) of a known virus.In the dark, immediate visual recognition is no longer possible. Using all our senses, we must observe behavior and assemble clues over time to deduce the presence of the threat we cannot see. 7© Meridian Group Inc. 2010
  • 8. Clarke Threat Matrix8© Meridian Group Inc. 2010
  • 9. “Black Swans”A highly improbable, unanticipated event that carries great impact. Ofteninduces ‘expert’ rationalization in hindsight. Frequently associated with ‘experts’ confusing the absence of evidence as evidence of absence. Unseen danger lurks…While typically a risk management issue, Black Swan events can suddenly expose weaknesses in compliance strategy. 9© Meridian Group Inc. 2010
  • 10. Our street lighting just isn’t the same as it once was.Aggregate infection potential of network compromise based on a network of 100 Windows PCs secure using ‘best practice’ malware defenses © Meridian Group Inc. 201010
  • 11. Advanced Persistent Threats (APT)Advanced – Opportunistic operation using the full spectrum of computer intrusion. Designed to actively resist detection and eradication attempts.Persistent – Maximizes control of the target computer by elevating privilege to preserve or regain control and access. Threat – Act as a ‘launch platform’ for a wide variety of malicious activity such as attacks, data theft, extortion and destruction.11© Meridian Group Inc. 2010
  • 12. © Meridian Group Inc. 201012
  • 13. Anatomy of a Known APT operation…The primary detectable evidence of APT infection is the traffic to the Command and Control (CnC) servers. This channel is also used to download new code.Almost all APTs use HTTPS to encrypt CnC traffic to ensure egress and avoid inspection.Use techniques such as Domain Fluxing to obfuscate CnC host identification and location13© Meridian Group Inc. 2010
  • 14. Strategic PrioritiesCurrently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.14© Meridian Group Inc. 2010
  • 15. Strategic PrioritiesCurrently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect.15© Meridian Group Inc. 2010
  • 16. Strategic PrioritiesCurrently known (detectable) APTs are the primary concern for all organizations. Relatively inexpensive to detect today.Unknown APTs and Zero-day Exploits are a secondary focus. Not only because we believe they are less common, but because they are much more expensive to detect.Black Swan exploits are specifically unknowable without prior knowledge, but consequences can’t be ignored. Business Continuity planning.16© Meridian Group Inc. 2010
  • 19. APT Defense is Possible Requires prior knowledge of common APT behavior. Have to know what to look for – for example periodic CnC traffic.Works very well for popular APT toolkits such as Zeus, so effective for vast majority of current APTs.Accept that defense today occurs after the fact. Sooner is better. Immediate is best.19© Meridian Group Inc. 2010
  • 26. 1. Monitoring Unidentifiable ActivityWhile a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy.26© Meridian Group Inc. 2010
  • 27. 1. Monitoring Unidentifiable ActivityWhile a particular threat may be unknown, it’s likely intent may be estimated with reasonable accuracy.Understanding probable intent provides us withdefensive knowledge. For example, a threat with the intent of ‘owning’ machine will likely be indicated by new processes or registry changes.27© Meridian Group Inc. 2010
  • 28. 2. Making sense of unidentifiable activityMonitor all possible network activity by using technology that reports everything it does.28© Meridian Group Inc. 2010
  • 29. 2. Making sense of unidentifiable activityMonitor all possible network activity by using technology that reports everything it does.Use available technology to autonomously identify, and block or quarantine suspect activity. 29© Meridian Group Inc. 2010
  • 30. 2. Making sense of unidentifiable activityMonitor all possible network activity by using technology that reports everything it does.Use available technology to autonomously identify, and block or quarantine suspect activity. Use available technology to aggregate, normalize and intelligently correlate diverse data. ‘Short-list’ any remaining suspect activity for further investigation and forensic analysis.30© Meridian Group Inc. 2010
  • 31. 3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.31© Meridian Group Inc. 2010
  • 32. 3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.Perform near real-time analysis on data streams to alert on suspect activity.32© Meridian Group Inc. 2010
  • 33. 3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.Perform near real-time analysis on data streams to alert on suspect activity.Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives.33© Meridian Group Inc. 2010
  • 34. 3. Building Situational AwarenessNormalize and aggregate data from diversesources into a single database.Perform near real-time analysis on data streams to alert on suspect activity.Provide fast, flexible ad-hoc reporting to examine data in multiple perspectives.Provide forensic search capabilities on very large sets of raw data. 34© Meridian Group Inc. 2010
  • 36. 4. Compliance AutomationMonitor and map detailed real-time event, configuration, asset and vulnerability data to corresponding sections in the underlying compliance policy.Provide standard and ad-hoc reporting of Compliance over any time frame.Support manual attestation of process controls associated with compliance.36© Meridian Group Inc. 2010
  • 38. ConclusionIn the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. 38© Meridian Group Inc. 2010
  • 39. ConclusionIn the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology.39© Meridian Group Inc. 2010
  • 40. ConclusionIn the era of APTs and unknown threats, a robust Risk Management protocol is vital to operational longevity. Comprehensive monitoring, normalizing and aggregation of data for Risk Management is only a short step away from compliance automation with the right technology.Business Continuity and Disaster Recovery planning are more important than ever. Don’t get ‘too big to fail.’ Look at New Orleans.40© Meridian Group Inc. 2010
  • 42. Unknown APT Defense“Build visibility in one’s organization to provide the situational awareness to have a chance to discover, and hopefully frustrate APT activities.” “Without information from the network, hosts, logs and other sources, even the most skilled analyst is helpless. Most security shops should be pursuing such programs already.”42© Meridian Group Inc. 2010
  • 43. IT Security is undergoing a ‘Sea-Change’Huge investment in signature-based malware detection and prevention systems (AV, IDS)This status quo becoming marginalized as conventional malware is supplanted by botnet agents and other Advanced Persistent Threats (APTs).Infection vectors shifting from file based to web based, requiring rigorous Application Control mechanisms.43© Meridian Group Inc. 2010
  • 44. …and no-one wantsto hear thisExecutives don’t want to hear how much more time and money the changes in today’s IT Security takes.IT Professionals don’t want to hear that most of their defensive technology and skills are obsolete.44© Meridian Group Inc. 2010