Advanced Threat Protection (ATP) is used to protect against sophisticated, highly skilled, well funded and motivated threat actor . The solution uncovers advance threats across Endpoints, Network, Email and Cloud. These solutions are used to detect advanced persistent threats that existing controls are not able to detect or are simply not capable of doing it.
Advance threat protection is not about a single security solution, It is about a combination of security controls, best practices/procedures, security awareness and continuous monitoring. It is more of a program based approach than a single solution. Although we understand Advance threat protection has a broad scope, here in this category we have focused on tools/solutions those employs both signature based and signature-less methods (Advance Sandboxes, Behavioral analytics, Advance correlation/machine learning, Deception technique etc. ) to detect advance threats by analyzing Web, and Network traffics. Here we call them Network Advance Threat Protection solution.
Key Use cases:
- To detect advance Targeted attacks which may go undetected by your SIEM, IPS/IDS, FW, Endpoint Security tools: Detect Custom built malware/ zero-day attacks against your organization fast by using advance detection and mitigation tools
- Reduce Man hours required to detect, respond and gain insights into a security breach: Mitigate incidents in minutes by quick detection and automatic remediation. Future proof yor organization defenses by applying endpoint and network forensics to gain insights into attacker tactics, techniques and procedures.
- Looking to deploy Sand-boxing solution: Sand-boxing tools are one of the critical tools for advance malware analysis and detection. Today it is imperative to deploy sandbox inside your network if you want to gain visibility into your network traffic, email attachment and web objects.
- Wants to quickly find answers to who, what, how, where, when, after a security breach (Contextual security): Most of the Advance threat protection tool are context aware, i.e, they maintain stateful analysis of happening inside your network and store it for correlation of events across devices, applications, users, ports and protocols. Contextual security also helps in historical analysis and incidents forensics to understand more about the adversary. This helps you better prepare for any future eventuality.
- Requires capability to have full forensics details to reconstruct the attacks and avoid future risks: This is about capturing data points to help you aid in investigation post breach. capturing raw network data, keeping meta-data, Malware anatomy, analytics engine and all the right tools and processes that you must have should you want to find out what actually has happened, whats went wrong and how to prevent it in future.
- You want to detect APT’s in SSL traffics and encrypted archive files: SSL is great for keeping our privacy on the internet, but the same tool is used by hackers nowdays to evade all of our security controls in pace to prevent us from getting attacked. Some ATP tool gives you the ability to look into the outbound & inbound encrypted traffic of your organizations, thereby, preventing anything wanted from getting downloaded into your organization network
- You want to notify your security controls regarding advance threats uncovered by your sandboxing tools: Integrating your advance threat protection tools with other security tools such as SIEM, Endpoint security, IAM, NGFW, IPS/IDS can really enhance overall security posture of any organization. ATP tools can reduce noise in SIEM results, can help contain the breach by updating the Endpoint security solution with latest signatures etc.
Do let me know if you want us to add or modify any of the listed key use cases.
Check out the Network Advanced Threat Protection market within FireCompass to get more information on these markets.