As promised, here is the second part of the two-part post inspired by the RSA SecurID breach.

In the aftermath of the RSA SecurID breach many security experts are recommending a layered approach as the way to prevent future “advanced persistent threat” (APT) attacks. The approach is discussed by Avivah Litan of Gartner in one of many articles to advocate layered defense.

It makes sense; of course, to build many barriers that an attacker would need to circumvent before getting to the proprietary data they seek. A layered maze. The picture that comes to mind is multiple strata overlapping across the network and endpoints, each built on top of each other like layers in the earth. With each new technological era, a new layer of protection is added, filtering out malware.

But what the articles are short on are specifics. What are these layers? Are there many sets of layers for specific applications?

After the APT attack last year that targeted many high profile enterprises we went out and spoke with a number of Fortune 500 companies that had adopted Bit9 application whitelisting to protect their endpoints (laptops, servers, desktops, kiosks, ATMs, other fixed function devices, etc.). We asked them: “What else are you doing to protect against Advanced Persistent Threats?” We understand that companies are using many different technologies to achieve the same goal. There is no proverbial silver bullet in IT security; this sentiment is true despite becoming a cliché in the industry.

A theme that came across from the CISOs at these enterprises was “advanced.” While the threats are being called that, so are the technologies being used to fight them. So what are these “advanced” technologies?

According to the people we spoke to the technologies stacking up to fight these attacks consist of the following:

• Advanced endpoint protection whose approach focuses on the applications can be trusted (e.g. application whitelisting) versus finding the bad “needle in the haystack” (e.g. traditional antivirus technology). This also includes technology which creates visibility on the endpoints – historically a significant blind spot for IT security

• Cloud-based reputation services to provide insight/ intelligence regarding trust and threat levels for the applications running on the endpoints

• Advanced network protection – new IDS/IPS appliance technology that does not rely on signatures and works at the network level

• Incident response/forensics – Mandiant and other like providers who can address the need for highly specialized groups of security experts with the skills to investigate the aftermath of a breach from an Advanced Persistent Threat

• Security Information & Event Management (SIEM) technology that correlates all events into one dashboard enabling the identification of threats via a “single pane of glass”

At the bottom are the legacy antivirus endpoint technologies and traditional network protections that are already installed. They are not going away, according to the companies we interviewed, but they are facing price pressure as corporations pay less for incumbent technologies and use the excess to pay for newer, more advanced solutions.

While there are many permutations of layers in the industry, this stack of technologies is the one that we found to be the most prevalent in enterprises looking to arm themselves against the advanced threats.

The threat landscape is changing with some research suggesting that 75% of all threats are targeted at 50 machines or less. Given the highly targeted nature of APTs a new approach is clearly warranted – an approach that we’ve been told is reflected in this new IT security stack.