Are you planning to Implement the Advanced Persistent Threats (APT) Security?. It's important to know what all questions you need to ask to APT security Vendor and get their views on APTs. Also, be sure whether the solution you are going to buy is capable to detect advanced threats using multiple techniques, and is not just another security solution using a signature based approach branded with fancy terms.
APT Security is not a single technology/solution but a complex program (people, process and technology). Sandboxing or any single technology can only provide partial protection against “real” advanced attacks.
So, here is the list of top 10 questions that you need to ask from your APT Security Vendors:-
1. What is your definition of APT Security?
You need to understand what is their definition of APT Security. If their definition of APT Security solution is a traditional signature based antivirus or protection against botnets, Trojans and phishing without any intelligence or forensics features, you may want to stop right there.
2.Could their solution detect more than the existing security system?
You wouldn't want to buy APT Security solution which doesn't add value to the existing security ecosystem. As, APT security has become a marketing term and many perceive APT Security as traditional signature based antivirus. Therefore, you need to know whether the APT security solution you are going to buy has much capable in detecting malware. You should have a list of possible APT's variants in handy and ask whether they protect from it. Some of the variants of APT can be Insider Threats, Initial attack vectors, Spear- Phishing, Drive-by-download, Online Social Networking, Search engine poisoning and many more
3. Do you participate in the industry standard malware protection tests such as those performed by AV-Test or AV-Comparatives or NSS Labs? If not, why?
What score did you got in these protection tests and did you able to score more than the industry standards.
4. Does your APT security solution covers all the channel by which threat might penetrate into the enterprise system?
APT Security solution must provides comprehensive coverage in various channels which are as follows:-
• End Point: These are typically deployed as agents on End Point Devices but there are also some solutions which are agentless
• Network: These are typically deployed as appliances within their network infrastructure & separate solution may be required for detection, response and forensics
• Email: Spear Phishing email is one of the main cause for Advanced Targeted Attacks
5. What is your false positive rate and how do you measure it?
There has been a times when a system falsely gives "Malware Attacks" and then organization allocate resources to investigate the issue and if it is a false positive, then people tends to ignore the real alarm as well and doesn't take it seriously.
6. How much time it will take to fetch reports for the complete system and how much memory your solution will it use?
There are systems in which taking reports are time intensive and may need to be run off-hours. Application containment solutions use CPU and memory and having more containers can lead to higher impact and can result into performance issues.
7. How will rate your solution from 1 to 10 in terms of complexity, with 1 as easy and 10 being complex?
There are solutions which are very complex and will require skilled personnel. Therefore, your need to evaluate your workforce expertise and deploying this solution might need some extra workforce and you need to ask whether this cost of extra workforce is manageable.
8. How capable is your threat research team in investigating series of attacks?
The Threat Team plays a crucial role and selecting a vendor with strong threat research team is important as sometimes there can be long-standing cyber espionage campaign.
9. Which type of technologies does your APT solution leverage?
As APT Security, multiple solutions/technologies may be required and hence you need to understand the techniques vendor APT Security solution leverages. It can leverage Sandboxing, Security Analytics, Application Containerization, Embedded URL Analysis, IOC Detection, Static Code Analysis etc.
10. What is your solution capabilities in terms of Prevention, Detection, Response and Prediction?
The multiple APT Security solution should be capable in terms of Prevention, Detection, Response and Prediction. You need to evaluate and understand how much you are going to achieve in terms of these 4 key capabilities.