Security Products
Showing results for 
Search instead for 
Do you mean 

Should we still care about APTs?

Guest Blogger (HPE-SW-Guest) ‎08-29-2013 12:37 PM - edited ‎09-16-2015 04:20 PM

Guest post by Perry Payne
CISSP, CISM , CISA, HP Enterprise Security Products


A couple of weeks ago, I was having lunch with a long-time CISO friend at our favorite sushi bar in D.C., just off DuPont Circle. We were chatting about the state of our industry when the topic landed on APTs. My friend waved his chopsticks in a lazy circle and asked, “This is 2013…should we still care about APTs?”


Years before Advanced Persistent Threats (APTs) became the hot industry buzzword, we shared many spirited conversations about the best way to defend against them. This is particularly true after my first APT experience while heading up Information Security at a nearby Fortune 500 company. Truth is, we didn’t really understand the scope of what we were dealing with at the time, only that it was very different from the day-to-day threats to which we were accustomed. These were new, their sole purpose being to perform long-term, stealth network surveillance.


The look on my face must have been priceless, so he smiled and proceeded to clarify his question. “I was thinking maybe it’s time we reconsider our approach to products and services that focus specifically on APTs. ” Having implemented a couple of these, I was certainly intrigued by the notion.


Learning by experience


What we have learned over the past two-three years is that if you deploy solutions that specialize in detecting APTs (usually because you were recently a victim and could easily get funding), you could be missing the bigger picture. Any malware or even adware that can install itself in your environment and set up a covert channel out of your network, even for a short period of time, is a big problem. With over 100K new malware samples observed in the wild each day, clearly some form of endpoint antivirus is still very necessary. Unfortunately there’s no way traditional AV deployments can keep up. So a gap exists because these zero day nuisance-ware programs are not typically flagged by the APT specialists and are not detected by AV without a signature developed and deployed to all endpoints.


So what we discovered is, APT or not, all malware threats are equally important—and here’s why:

Even if the purpose isn’t initially for surveillance, infiltration points created by malware are often quickly sold on the deep web at sites such as Silk Road or Atlantis. There, adversary groups (who have a keen interest in your operation) bid for those access points in this very lucrative black market. That path into your network, if undetected or unchecked even for a few hours, will be exploited by experts who will map your environment, find your weakest links (you know where they are) and set up more sophisticated backdoors—often selling those to the highest bidder—be it nation-state, cybercriminal or hacktivist.


Protection via monitoring


So to counter this, my friend has several monitoring solutions in place across his networks which detect various types of threats using different techniques.  This is effective, but he really wants to consolidate around a more comprehensive solution. Unfortunately he is also struggling with a staff stretched to the limit trying to identify, locate, analyze and remediate several suspicious endpoints a day. These activities take them away from critical security projects.


So he mused, “Wouldn’t it be great to have a monitoring solution that utilized comprehensive, multi-sourced security and threat intelligence, to include APT detection—then couple that with the ability to automatically quarantine the affected endpoint in real time?”


“Absolutely!” I further posited, “What if it could respond to those alerts based on discreet admin-defined policies: by severity, user community, type of endpoint, location on the network, etc. and handle mitigation in the most effective way?

 For example, if you want to quarantine someone on your LAN—it would implement a port block. If it’s a VPN user—it would kill the session or disable the VPN account. And for a wireless user on a shared switched network—it would deploy a MAC filter….all are policy-driven based on the alert.”


“Wouldn’t this free up your very expensive security staff to do what you hired them for, namely to focus on projects and strategies to protect your environment instead of chasing down laptops?”

We were on a roll now!


He added, “Why not send a ticket to the Help Desk for them to recover, reimage or hold the endpoint based on our incident response procedures?”


I fired back, “Absolutely! And wouldn’t it be awesome if your security ecosystem could leverage what was learned from the attack and protect affected endpoints at the network layer from that specific vulnerability? This effectively provides a “virtual patch” until the vendor could send one out?”


He laughed, “Maybe for the NSA, but we’re dreaming!”


“Maybe not…”


I invited him to HP Protect in Washington, D.C, September 16-19, where in HP’s onsite Security Operations Center (SOC), he can see demonstrations of this real world capability—available today—driven by HP’s industry-leading, award-winning threat intelligence and enterprise security portfolio, as recognized by both Gartner and Forrester.


He replied, “I’m in…I just want to know if they can hire our favorite sushi chefs to cater as well!”


To learn more about the biggest security conference in Washington, D.C.—HP Protect 2013—listen to Art Gilliland, SVP HP Enterprise Security Products, give you the scoop on this year’s event:




About the Author


This account is for guest bloggers. The blog post will identify the blogger.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all