Advanced threat protection (ATP) refers to a category of security solutions that defends against sophisticated malware or hacking-based attacks, targeting sensitive data. ATP solutions can be available as software or as managed services. They can differ in approaches and components, but most include some combination of endpoint agents, network devices, email gateways, malware protection systems, and a centralised management console to correlate alerts and manage defences.

But how do they operate and perform 'in anger', so to speak, and where might there be any weaknesses? At the same time, in a world where the threat levels alter dramatically and rapidly at an alarming rate, where might they need to be adapted to counter future emerging challenges?

"Perhaps it's become a cliché, but advanced threat protection requires detection and containment, 'beyond the email gateway'," says Mike Fleck, VP marketing at Cyren. "Cybersecurity and industry professionals have been using this term to describe the need for organisations to have a layered security approach with security controls and incident response capabilities to deal with the advanced threats that slip past the email perimeter and arrive in a user's mailbox.

Patrick Wragg, Integrity360: the key to advanced threat protection is layers - ensuring your operating systems and applications are up to date; users are educated; and that you have the latest security solutions in place.

HEART OF THE ORGANISATION
"Email is the most common method of delivering threats - advanced and otherwise - because it is one of the few ways to transport an attack straight to the heart of an organisation, through its people. What's more, the most favoured approach to an email attack is phishing [ie, harvesting login information using spoofed web pages of trusted brands]; once attackers have the ability to remotely log in to a corporate network, they can launch convincible fraud campaigns and surveil the environment to find the most sensitive data to steal or the most business-critical servers to infect with ransomware."

Security controls beyond the gateway have traditionally focused on data loss prevention, sophisticated malware analysis and endpoint security solutions, he points out. "However, advanced email threats still evade detection and containment largely because attackers use trusted cloud services and constantly change their tactics to avoid known patterns of behaviour. Endpoint security agents can quickly spot a compromised device, but it may be too late. Data loss prevention can detect sensitive data as it leaves the organisation, but only after the initial compromise. There is clearly a gap in advanced threat protection capabilities between the email server and the end user device. This gap is easy to see when you understand the degree to which enterprises rely on employees to identify advanced threats in their mailboxes."

A better way is to simply add a layer of automated detection and incident response to the mailboxes, Fleck adds. "As enterprises migrate their email servers to cloud offerings like Office 365, it becomes easier to close this gap by using APIs to connect advanced threat protection clouds to email mailbox clouds. This layer of control complements the detection and containment efforts already underway by cloud providers, enterprise email security gateways, network intrusion detection and endpoint security agents. It also relieves users from the expectation that they will reliably spot and avoid advanced threats like spear phishing and business email compromise."

EVOLUTION OF TECHNOLOGIES
The advanced threat protection category is, of course, nothing particularly new, points out James Preston, security architect for ANSecurity, but rather "an evolution of technologies including anti-virus along with intrusion prevention and detection systems - packaged under a new heading". However, no matter what it's called, technology alone cannot protect against every type of threat, he cautions.

James Preston, ANSecurity: technology alone cannot protect against every type of threat.

"ATP solutions generally don't understand where your organisation has weaknesses. From a threat actors' point of view, there is always a stage where they will try to reconnoitre a target looking for weaknesses. This could be a long-forgotten VPN server, an unpatched application or badly designed user sign-in process. In fact, this reconnaissance phase is often the deciding factor for a cyber threat actor to expand real effort to break in - or find a more open victim. Most ATP solutions don't emulate this reconnaissance process, so enterprises need to initially focus on finding and fixing structural weaknesses to make themselves less attractive targets."

A great place to start is by using a cyber security framework such as the MITRE ATT&CK framework - with free tools like the ATT&CK navigator, Preston advises. "These allow you to map out the likely avenues for exploit and then work out where you have adequate protections and best practice processes - versus areas where you are lacking. This is a task you can do internally or, if you have limited resources, through a trusted expert third-party. Either way, it will give you a better starting position to fix any issues than just deploying lots of vendor solutions in an ad-hoc fashion."

Integration is also key. "It's unlikely that any enterprise will have a complete stack of cyber security products from a single vendor. And, as such, disparate security solutions often work in little silos, without sharing the valuable security information to make early breach detection easier. So, it's essential that organisations must also establish what is integrated - and, in some cases, this might require a dedicated integration layer like a SIEM or SOAR platform. This might not always mean spending more budget as, in some cases, a SIEM can allow you to reduce the number of overlapping security tools and focus on better utilising a smaller set of technologies."

One of the biggest security issues now, he adds, is how fast cyber criminals can escalate a slight breach into a full-blown extortion attempt of theft of sensitive data. "Sometimes, the tell-tale signs are spotted by cyber security systems, but the decision to quarantine PCs, servers or network functions requires manual action. This approval delay can mean the difference between successful defence or a painful breach. As such, enterprises are going to need to start trusting automated response a bit more - even if it means that the occasional false alarm impacts the business."

Mike Fleck, Cyren: there is clearly a gap in advanced threat protection capabilities between email server and end user device.

Yes, this is a big step, he concedes - and there will be a bedding in period as these systems start to understand the environment and learn from mistakes. "However, to deal with the next generation of advanced threats, APT systems must be given the freedom to start mitigation faster than a typical human operator."

'BIG PICTURE' VIEW
Patrick Wragg, cyber incident response manager with Integrity360, points to how traditional basic threat prevention strategies rely on a singular approach, whereby each unique security tool/component in an organisations defence arsenal has one job and is relied upon heavily for that job. "Advanced threat prevention, however, takes a multi-faceted approach whereby the detection capabilities of multiple security tool/components in an organisations defence arsenal are combined to provide a 'big picture' view of a possible compro- mise. For example, a combination of EDR (Endpoint, Detection and Response) agents, network monitoring agents, email gateways, user privilege/account monitoring and cloud monitoring solutions all submitting their alerts to a centralised management tool that correlates them and alerts a security team in real-time."

However, there is no one size fits all approach, in terms of advanced threat protection. "Solutions need to be scalable, flexible and intelligent, and enable organisations to bolster those defences that work well and can evolve to meet the ever-changing threat environment. Businesses need to cover all bases with systems in place designed to manage, detect and respond (MDR), monitor, mitigate/prevent and, where necessary and applicable, remediate with incident response (IR)."

On top of automating where possible, and an overall strengthening of the security posture, the key to advanced threat protection is layers, he adds - ensuring your operating systems and applications are up to date; your users are educated; and you have up to date security solutions in place.

"The future of advanced threat protection comes down to having the right service provider in place to provide on-demand access to highly skilled cybersecurity experts who can deliver emergency support for any cyber threat, including proactive guidance on MDR and IR planning, and new and evolving threats. The security team should also be able to respond instantly, in real-time, via pre-built automated incident response playbooks."

BATTLESHIP WARFARE
"For years, threat actors like nation states and cybercriminals had distinct motivations and different tools," comments Sam Curry, chief security officer, Cybereason. "Nation states, or 'advanced persistent threats', as we called them, moved like submarines stalking ships in the waters of target networks, carrying out the policies of their governments and providing asymmetric options aside from the normal diplomatic, economic, and military strategies and tactics. By contrast, the fight against cybercriminals more resembled battleship warfare than submarine. The motivation among criminals was profit and, as such, it was about maximising the number of victims and wringing every drop from an infection for as long as possible. Even in the old days, the security industry was not up to the task of stopping either the malicious operations of nation states nor the smash-and-grab theft of cybercriminals."

The silver lining, however, is the emergence of endpoint detection and response (EDR), which is often mistaken for a mere extension of existing endpoint protection technologies like antivirus or personal firewalls. "It is a tool for finding the advanced operations and provides the hunter-killer options for the cyber conflicts being waged on corporate and government networks," he explains.

"EDR has evolved first into managed detection and response (MDR), providing the men and women behind screens in managed services, and into extended detection response (XDR), uplifting the telemetry recording from formerly ubiquitous endpoints to the transformed enterprise of SaaS, Cloud Infrastructure and beyond."

Fast forward to today and the dark side ecosystem is very different, states Curry. "The attackers have not slowed down and have, in fact, evolved at a faster rate than defenders have, except perhaps among the most sophisticated defenders. Not only are they attacking the newer infrastructure associated with SaaS services, but they are now targeting the new IT stack in the form of IaaS and PaaS compromise.

"In the last five years, the lines among attackers have become more blurred, with sharing of tools and relationships that mirror the alliances, investments and partnerships of the more normal and legitimate industries. Further, the motivations for each actor have become less distinct, with nation states pursuing currency in the case of North Korea, fostering ransomware in the case of Russia, and development of supply chain compromises in the case of Russia and China, to name just a few."

The most insidious examples of these are developments in the last six months. "The first is ransomware, which is really a combination of the old APT-style delivery mechanism through stealthy submarine-like operations but doing so for profit. The second and most recent is evident in the recent Kaseya attack: supply chain compromise for the purpose of delivering ransomware as the payload. This is a killer combination."

This is the reason for the mandate of EDR (or MDR or XDR) for the US Federal government in the recent White House Executive Order. "Having a means of finding the attacks as they move in the slow, subtle, stealthy way through networks isn't an option. This class of tool isn't the be-all and end-all, but it's at the top of the toolkit, along with more advanced prevention, building resilience, ensuring that the blast radius of payloads is minimised and generally using peace time to foster anti-fragility." The most significant takeaway? "It's not about who we hire or what we buy. It's about how we adapt and improve every day."