Enterprises are bombarded with malicious email file attachments, Web links or malware communications capable of bypassing "legacy" defenses. On average, attacks on enterprises occur as often as once every three minutes, according to FireEye. In many cases, the malware used in these targeted attacks is brand-new or has morphed beyond detection by conventional signature-based defenses.
"These 'zero day' attacks are bypassing existing network defenses and requiring us to step up the game," said Lawrence Orans, research director for network security at Gartner Inc. Currently, solutions to detect targeted attacks on enterprises fall into three distinct categories. "These solutions include ones that sit on the end point, ones that do a payload-type analysis and network traffic solutions that analyze different forms of network traffic to identify attacks," he said.
Enterprises can fight targeted attacks better if vendors in these three categories team up and work together. "The good guys need to become more sophisticated and combine techniques from two or more of these categories to detect attacks," Orans said.
Network traffic analysis provides a good indicator for detecting compromised endpoints. But a limitation of this "sandboxing" approach is that it examines malware in an isolated environment -- not on your desktop.
"This is why we're seeing vendors like FireEye, from the payload analysis category, partnering with desktop analysis vendors like Mandiant. They can confirm that malware installed on endpoints in the enterprise and that those endpoints are compromised," Orans said. "Similarly, we see partnerships on the networking side because if you see network traffic indicating an endpoint is compromised, it confirms that the malware has successfully installed in your environment."
FireEye has also teamed up with ForeScout, a network access control, or NAC, vendor, on a solution it claims enables enterprises to detect targeted attacks in real time.
How does their combined solution work? FireEye's malware protection system identifies attacks and blocks outbound malware activity, and alerts ForeScout's CounterACT platform of any affected systems and the threat's severity. CounterACT then applies an enforcement policy, which could include quarantining the endpoint, blocking or limiting specific communications between the endpoint and other systems; reporting rich details about the endpoint; notifying the end user or administrator; and triggering system remediation.
In the future, expect to see more of these partnerships emerge as vendors crack down on detecting targeted attacks.