WHITE PAPER

SECURITY
REIMAGINED,
PART II:
BUILDING OUT
AN ADAPTIVE
INFRASTRUCTURE
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

CONTENTS

4 5 6 9 11
A VISION IS JUST A HISTORY OF DETECTION: HUNTING AND PREVENTION:
THE BEGINNING REIMAGINING: MINUTES, NOT GATHERING BLOCK WHAT YOU
THE REST OF MONTHS CAN, STOP WHAT
THE STORY YOU CAN’T

13 14 15 16 18
ANALYSIS: FULL TELLING A STORY INTELLIGENCE RESOLUTION: CONCLUSION AND
CONTEXT FOR A WITH THE AT THE CORE FOCUSED ON RECOMMENDATIONS
FULL PICTURE NARRATIVE CONTINUITY
MODEL

2
Security Reimagined, Part II: Building out an Adaptive Infrastructure
EXECUTIVE SUMMARY
Reimagining security takes more than a
breakthrough vision. It takes the right tools and
follow-through. This paper explains how to put
Adaptive Defense™ into practice, outlining the
capabilities needed to prevent, detect, analyze,
and resolve today’s threats.
PREVENT
In an adaptive architecture, prevention comes in
two forms: preventing many attacks outright, and
preventing the worst outcomes of attacks that slip
through. Tightly integrated defenses instantly block
malicious callbacks. At the same time, endpoint
defenses can locate compromised systems and
quarantine them.
DETECT
With an adaptive strategy, security teams detect
threats in minutes—not months. This requires tools
that go beyond signature-based technologies
such as anti-virus (AV) software and even next-
generation firewalls. These tools must cover
multiple threat vectors such as web and email. And
they must see the entire lifecycle of an attack.
3
WHITEPAPER
ANALYZE
For analysis, adaptive architectures must provide
full context to give security teams the full picture.
This means providing a narrative of the attack, not
reams of data. To fill the gaps of security
information and event management (SIEM)
products, adaptive architectures incorporate
enterprise forensics systems and endpoint tools.
RESOLVE
Resolving threats still requires human insight and
action. But an adaptive posture can speed the
process with tools that collect, curate, and correlate
date in real time.
Though adaptive approach may require new tools,
it isn’t about spending more. It’s about getting the
best return on your security investment by
directing spending where it makes the most sense.
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

Henry Ford stands next to a Model T car.

A VISION IS

JUST THE
BEGINNING
The first part of this series detailed three pivotal
advances that hinged on someone reimagining a
domain: Arthur Cumming’s curveball pitch, George
Westinghouse’s push to deliver electricity via
alternating current, and Henry Ford’s assembly line.

4
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

A HISTORY OF REIMAGINING:
THE REST OF THE STORY
In each of these cases, a breakthrough
vision was only a starting point.
Reimagining the status quo also
required having the necessary tools
and following through on the idea.
Arthur Cummings needed a catcher
who could work with the curveball
and prevent it from rolling into the
backstop.1 He found that in Nat Hicks,
one of only a few players at the time to
crouch directly behind the batter during
a pitch.2 Hicks’ position, along with a
willingness to indulge “Cummings’ crazy
curve,” enabled Cummings to wield his
new throw—and made the pair a force on
the baseball diamond.3 As baseball
historian Pete Morris puts it: “…the most
lethal pitch had no value without a
skilled catcher.”4
George Westinghouse knew that
alternating current would slash the costs
of delivering electricity. But the
changeover from the prevailing direct
current standard depended on key
innovations from others. Nikola Tesla’s
dual-phase induction motor and
transformer designs,5 Ottó Bláthy’s
improved transformer and electric
meter,6 and William Stanley’s parallel
connected transformer7 were just a
few of the advances that enabled
Westinghouse’s vision.
And when Henry Ford wanted to build
the Model T faster and less expensively,
someone had already invented the
conveyer belt (widely used in grain
warehouses) and assembly lines
(common in Chicago slaughterhouses).8
And industrial efficiency pioneer
Frederick Taylor’s scientific management
theory9 was taking root when Ford
transformed the complex, specialized
work of making cars into a series of
discrete steps that required far
less craftsmanship.10
Like these historical examples,
reimagining security also requires
the right tools and follow-through.
Part I of this series outlined what
FireEye calls Adaptive Defense. This
approach integrates tools end to end.
It enables big-picture vigilance. It
adopts a lean-forward posture with
intelligence. And it responds nimbly
with a responsive architecture.
This installment examines how to put
this strategy into practice. It describes
the tools and expertise organizations
need to adopt an adaptive posture.
And it prescribes a framework that
will enable them to continuously
prevent, detect, analyze, and resolve
todays’ threats.

1
Peter Morris. “Catcher: The Evolution of an American Folk Hero.” 2009.
Ibid.
2, 3, 4

5
John W. Klooster. “Icons of Invention: The Makers of the Modern World from Gutenberg to Gates.” 2009.
6
Quentin R. . “George Westinghouse: Gentle Genius.” 2007.
7
IEEE Global History Network. “Milestones: Alternating Current Electrification, 1886.” October 2004.
8
Ford Motor Company archives. “The Reminiscences of Mr. W. C. Klann.” Recorded September 1955; transcribed November 2011.
9
Frederick Taylor. “The Principles of Scientific Management.” 1911.
10
The History Channel website. “Ford’s assembly line starts rolling.” Accessed September 2014.

5
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

T PR
EC E
T

VE
DE

NT
E
RE

YZ
SO

AL
LV

AN
E

6
Security Reimagined, Part II: Building out an Adaptive Infrastructure
DETECTION:
MINUTES, NOT MONTHS
I
n breaches that Mandiant, a FireEye company,
helped resolve in 2013, attackers had free rein
inside a victim’s networks for 229 days before
being discovered.11 With an adaptive strategy,
security teams can detect threats in minutes—
not months.
You must detect attacks early to avert their worst
effects. By the time most organizations detect a
breach, the damage is done.
DETECTION DOES NOT LIVE ON
SIGNATURES ALONE
Much of the problem stems from conventional
signature-based defenses. Anti-detection
techniques, such as code-morphing and binary
packing, can generate a barrage of unique binary
samples from the same malware family. Each has a
unique binary signature. And many targeted
attackers tailor code for each of their victims.
Anti-virus software vendors can’t keep up with
new binaries. In many cases, they don’t even get
the chance to even create a signature. Out of
124,289 unique malware variants that slipped
past conventional “defense-in-depth” security
deployments in a recent FireEye study, 75 percent
appeared only once.12
11
Mandiant, a FireEye Company. “M-Trends: Beyond the Breach.” April 2014.
12
FireEye and Mandiant, a FireEye Company. “Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model.” May 2014.
7
WHITEPAPER
Like signatures, reputation-based defenses such
as URL blacklisting detect only known, confirmed
threats. Relying solely on this approach is like
preventing the FBI’s most wanted criminals from
entering your house—but leaving the doors open
to everyone else.
Instead of signature- or reputation-based
detection, an adaptive security architecture
analyzes suspicious files, web objects and traffic in
real time to detect new, unknown threats.
Dynamic analysis technology observes malware
and exploit behavior using virtual machines (VMs).
These walled-off, simulated environments allow
files to execute without doing any real damage.
By watching the files in VMs, automated analysis
can flag telltale behavior, such as changes to the
operating system or calls to the attacker’s
command-and-control (CnC) servers.
Just as today’s advanced attacks unfold across
multiple threat vectors and multiple connection
flows, dynamic analysis tools must analyze
suspicious code in context of other system and
network activity. Most VM-based analysis tools,
more commonly known as sandboxes, analyze files
and objects in isolation. They never see the full
picture. The most effective solutions at this layer
analyze exploits, malware, and associated behaviors
as a series of flows. And they can group those flows
into more complete pictures of attack activity.
Security Reimagined, Part II: Building out an Adaptive Infrastructure
Signature-based defenses still have a place in an
adaptive strategy. For instance, AV software and
intrusion prevention systems (IPS) can instantly
block known commodity malware so adaptive
methods can focus on unknown, targeted attacks
that present a higher risk.
Even so-called “signature-less” detection
technologies (such as VM-based analysis) spawn and
circulate signatures for newly discovered threats to
quickly inoculate the whole enterprise. When shared
within a broader defense community, these new
signatures can also help shield other networks.
Firewalls, albeit smarter versions of them, remain a
key component of adaptive security architecture.
Applying an adaptive strategy doesn’t mean ripping
up and replacing current security investments.
Instead, it blends these legacy tools with dynamic
analysis for fast, efficient detection.
Applying intelligence with
indicators of compromise
Indicators of compromise (IOCs), those digital
breadcrumbs so essential to incident response and
forensics efforts, are also vital to detection.
In the simplest terms, IOCs are forensic artifacts
of a breach, evidence created in the wake of an
intrusion. This evidence can be anything from a
new registry key to the name of a mutex inside a
malicious process running on an infected machine.13
Security teams use IOCs to describe, catalog, and
share threat data. Think of it as a criminal mug
book that depicts traits such as the malware used,
attackers’ methods, and other telltale signs. IOCs
gathered from previous attacks help security
teams know what to look for when detecting
future attacks.
In an adaptive architecture, security teams
can define IOC rules that meet all of the
following conditions:
13
Will Gragido (RSA). “Understanding Indicators of Compromise (IOC), Part I.” October 2012.
14
Jerry Shenk (SANS Institute). “Sorting Through the Noise.” May 2012.
8
WHITEPAPER
• It is actionable. IOCs lead to the threat, or at
least to the trail of the threat.
• It is contextual. IOCs reveal detail that
describes the severity, risk, and sometimes, the
confidence of the threat.
• It is applicable. IOCs are useless if they don’t
work with your detection tools.
To get the full benefit from IOCs, adaptive security
infrastructures define them in industry-standard
formats. Having standards allows security teams
to share, incorporate, and combine threat
intelligence from internal, third-party, shared, and
open-source sources.
While some emerging IOC formats cover the gamut,
many are not well defined and require specialized
tools and expertise. Consider one that does not
rely on any specific technology or setup. IOCs
should also easily convert into other IOC formats.
Seeing the forest, not just the trees
In a recent survey by the SANS Institute,
correlating information from multiple sources
ranked as the second-biggest challenge of
security professionals, just behind telling the
difference between key events from normal
background behavior.14
That correlation is possible only when the security
architecture is tightly integrated for an end-to-end
view. Point products see only part of the picture, so
security teams usually get a disjointed account of
the attack. By implementing an adaptive strategy,
they get the whole story. It’s the difference
between a photograph and a Picasso painting.
Think of how a preschooler might view F. Scott
Fitzgerald’s The Great Gatsby. The child might
understand most of the individual letters but none of
the words. Fast-forward a few years, a first grader
might know some words but miss the flow of the
sentences and their meaning. A fifth grader will likely
understand many sentences and perhaps even full
paragraphs. But that child will likely miss much of the
Security Reimagined, Part II: Building out an Adaptive Infrastructure
subtext, innuendo, and poetry of Fitzgerald’s prose.
Finally, a high-school freshman might understand
all of these—and still not have enough life
experience to appreciate the deeper themes of the
classic work.
In the same way, your security architecture must
be mature enough to not only detect individual
events, but to piece them together in a
meaningful way. Just as a great novel requires
more than knowing your ABCs, an adaptive
security architecture hinges on a deeper grasp
of how attacks play out. This insight usually
draws on outside experience in the form of
threat intelligence.
Having a cohesive view of an attack allows for
meaningful, correlated alerts. Today’s security
teams are overwhelmed with an ever-growing
flood of alerts from their point products. They
waste time chasing down false alarms and lose
important alerts in the noise.15
[ HUNTING AND GATHERING
Detecting threats can take the form of “hunting” and
[ • Show all Windows processes across the
“gathering.” In conventional security, gathering—
collecting alerts generated from IOCs rules—is the
most common approach.
For example, security teams might want gathering-
style alerts for the following situations:
• Five failed logins occur on a privileged account
• Someone runs the at.exe command on a
Windows system
With an adaptive strategy, you’ll also be hunting—
actively looking for hidden threats based on fresh
intelligence—with powerful, data-driven IOC rules that
security teams can easily fine-tune. These IOCs use
the latest specific intelligence, so you’ll get high-
fidelity alerts with few false positives.
In hunting mode, security teams would likely want
more free-form queries such as:
15
FireEye. “The SIEM Who Cried Wolf: Focusing Your Cybersecurity Efforts on the Alerts that Matter.” August 2014.
9
WHITEPAPER
Let’s face it: most alerts generated by conventional
security tools are glorified event logs. What
organizations really want is answers to the
questions that matter. They need information they
can do something about.
Because adaptive, integrated defenses have an
end-to-end view of the attack, they can correlate
activity among different tools to consolidate
related alerts and prioritize the most urgent.
Although security teams get fewer alerts, they
can be confident that those alerts are worth
following up.
Adaptive approaches provide crucial context to
ascertain what happened, when it happened, and
where it happened (in other words, what systems
are affected).
enterprise executed in the past year. Then show
the top unique five percent to investigate.
• Query all endpoints looking for the methodology
or behavior indicators of compromises or the top
targeted threats attacking the enterprise’s
industry.
• Find unusual VPN activity and show trends by
geography, user, and time.
• Analyze questionable Windows processes such
as AT, PSEXEC and NET.
Hunting requires a higher level of expertise. Like a
skilled detective, the hunter sifts through reams of
information to find that all-important clue, the tiniest
detail that seems odd or out of place. Depending on a
your budget and in-house resources, this expertise
can be nurtured internally or delivered by an outside
service provider.
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

T PR
EC E
T

VE
DE

NT
E
RE

YZ
SO

AL
LV

AN
E

10
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

PREVENTION:
BLOCK WHAT YOU CAN,
STOP WHAT YOU CAN’T

C
onventional security lets too many
attacks go undetected and
unchallenged for far too long.
In an adaptive architecture, prevention
comes in two forms: preventing many
attacks outright, and preventing the worst
outcomes of attacks that slip through.
Today’s best tools can stop many threats
automatically. Legacy signature-based tools
block known commodity threats. And
dynamic analysis can catch many attacks
that signature-based tools miss.
Tightly integrated defenses instantly block
malicious callbacks to attackers’ CnC
servers. At the same time, endpoint defenses
can locate compromised systems and
quarantine them.
With an adaptive strategy, all of this occurs
without badly disrupting operations. Used
effectively, dynamic analysis tools do not
weigh down the network or hinder users.
And by pinpointing affected systems,
security teams do not have to take major
systems offline to remediate.

For attacks that slip through your perimeter

defenses, the name of the game is
preventing lasting harm. An adaptive
approach enables security teams to quickly
contain attacks by reducing of those two
important metrics: time to detection and
time to resolution.

11
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

T PR
EC E
T

VE
DE

NT
E
RE

YZ
SO

AL
LV

AN
E

12
Security Reimagined, Part II: Building out an Adaptive Infrastructure
A
nalysis is one of the most important
aspects of security—the very basis for
detection, prevention, and resolution
efforts. It is also one of the most difficult to get right.
Adaptive strategies automate much of the
analysis process to detect and resolve incidents
faster. Dynamic analysis tools find threats by
analyzing the behavior of suspicious files, for
example. And endpoint defenses inspect OS
changes for signs of a breach.
Forensics and related activities still require
human judgment. But automation can improve
the process by making it faster and more
accessible. Forensics shouldn’t have to be a
manual, specialized chore.
ASKING THE RIGHT QUESTIONS,
GETTING USEFUL ANSWERS
In the midst of a breach, security teams want
answers, not data. The difference might seem
pedantic—information, after all, is essential to
finding answers. But reams of data are a poor
substitute for knowledge.
ANALYSIS:
FULL-CONTEXT FOR A FULL PICTURE
13
WHITEPAPER
A series of funny television ads that ran a few
years ago for an Internet search site illustrates the
point. In the commercials, someone asks a basic
question, such as “Did you pick up a cell phone?”
Instead of answering the question, others nearby
begin reciting random facts about cellular
membranes, telephone poles, and so on. Those
facts may be accurate, even helpful in another
context. But they didn’t help our hapless
protagonist. Many of today’s security tools take a
similar “everything and the kitchen sink” approach.
An adaptive strategy not only gives you answers,
but helps you ask the right questions. By giving
security teams information they need when
threats are detected, an adaptive security strategy
gives you a running start as you analyze the
breach so you can prevent further damage and
resolve the attack.
By asking and answering the right questions, an
adaptive approach can reduce expertise needed to
deploy, maintain, and operate your security tools.
And more important, an adaptive approach make
these tools more powerful.
Security Reimagined, Part II: Building out an Adaptive Infrastructure
TELLING A STORY:
THE NARRATIVE MODEL
All aspects of the adaptive approach—real-time
analysis, useful IOCs, context about attacks, and
the right answers to the right questions—become
even more potent as part of a connected narrative.
By fitting all the pieces together, an adaptive
strategy helps security teams respond to and
resolve incidents faster. It also provides operating
metrics that are critical to gauging the depth of
the security architecture.
Enterprise forensics
Enterprise forensics solutions (EFS) are a big part
of this narrative. By fusing network and endpoint
telemetry into a single interface—or single “pane
of glass”—an EFS gives incident responders
complete, reliable access to the data they need to
stop and resolve attacks.
With an adaptive strategy, incident responders
can pull in data from any tool using the same,
simple-to-use interface, query syntax, and
reporting format. With an easy, familiar way of
interacting with the security architecture, even
non-specialists can harness powerful capabilities.
An EFS should not be confused with SIEM or
log-management products. SIEMs collect and
correlate logs. EFS, in contrast, combines
forensic artifacts and events into a single
interface to find threats.
While they have their place in an adaptive
strategy, legacy SIEM platforms are not well
suited to EFS tasks. They are far too slow and
limited to process the torrent of data needed to
analyze events completely for continuous
monitoring and response.
16
Dave Shackleford (SANS Institute). “When Breaches Happen: Top Five Questions to Prepare For.” June 2012.
14
WHITEPAPER
SIEM products also lack high-quality threat
intelligence feeds. Some products do incorporate
open source threat intel. But this approach typically
results in a deluge of false positives and lacks key
attribution details that help identify the attacker.
And most SIEM offerings cannot update rules
quickly to detect new threats. Instead, security
engineers must manually research threats and
build any new alert rules themselves.
As the SANS Institute recently put it: “Reviewing
SIEM data is like reviewing a phone bill and seeing
who talked to whom at what time, but not having
the actual conversation.”16
As part of an adaptive approach, an EFS enables
security teams to easily see activity from the
perimeter, internal network streams, and endpoint
activity for an end-to-end narrative. Network
telemetry captures, monitors, and stores network
traffic throughout the network, not just ingress
and egress points. Attackers’ lateral movement,
largely invisible to legacy tools, comes into full
view. This movement can be reconstructed after
the fact to retrace every step of the breach.
Endpoint visibility
No narrative would be complete without a view
into endpoint. An adaptive strategy enables
security teams to quickly pinpoint, isolate, and fix
compromised endpoints.
For full endpoint visibility, your tools must do the
following:
• Retrieve data from specific endpoints.
Organizations can query any endpoint in
the network to find IOCs and fill out the
forensic narrative. Security teams can pose
complex questions such as “Show me all
endpoints that have the file “C:\help\help.exe”
matching the MD5 checksum of
“329e73bd3c7036b28c6ca041867afd2b.”
Such queries are difficult, if not impossible
in conventional architectures.
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

• Get live responses to queries. If security
teams find a compromised system, they can
expand the narrative by getting a live response
from the endpoint. This response can be a full
forensics snapshot of the endpoint including
files, memory space, registry, connection state,
and more. The incident responder can analyze
the live response remotely or transfer it to
their console.
• Have a full, bit-by-bit record of endpoint
activity. Just as an adaptive architecture
captures every data packet on the network for
a full picture of activity, adaptive endpoint
security technologies have evolved similar
functionality. With packet capture and
look-back recording, an endpoint can track,
store, and index changes to key markers such
as registries, settings, started and stopped
processes, and inbound and outbound
network connections. When requested in
targeted acquisition (“hunting”) mode, this
record is sent to the security team to help
responders pinpoint what endpoints the
attacker hit and gauge the impact.
• Contain and remediate anywhere. When
security tools detect a breach, teams must
quickly isolate and fix breached endpoints to
contain the damage. This process often takes
place remotely, when the endpoint is not wired
directly to the organization’s main network. If
an endpoint is located, say, inside of a coffee
shop, incident responders must still be able to
“reach into” the machine to analyze forensic
artifacts and contain the threat.
INTELLIGENCE AT THE CORE
Intelligence is the lifeblood of analysis, giving
security teams a wider-angle view of potential
threats inside and outside their network.
Tactical intelligence—both internal auto-
generated signatures and data shared among a
global defense community—enables security tools
to instantly block known threats. Contextual
intelligence helps guide analysis efforts, spotlighting
threat trends and tactics so security teams know
where to focus their efforts. And strategic
intelligence gives security leaders the tools for
macro-level analysis and long-term strategy.
Endpoint Forensics

An adaptive approach combines

intelligence gathered from remote
Mobile

Cloud

and local endpoints, network

forensics, and cloud-based
intel-sharing networks to form a
complete narrative.

Advanced Threat Protection

Networ s
k F o re n s i c
Signature/Rule Based Blocking

Threat Intelligence

15
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

T PR
EC E
T

VE
DE

NT
RE
SO

YZ
E

L
LV

A
AN
E

RESOLUTION:
FOCUSED ON CONTINUITY
16
Security Reimagined, Part II: Building out an Adaptive Infrastructure
F
or now, resolving threats still requires human
insight and action. But an adaptive posture
can speed the process to contain the threat,
fix any damage, and re-secure your network—all
without severely disrupting business.
Today, most resolution efforts fall into a matrix.
One axis indicates whether they’re static
(requiring security teams to take systems offline)
or dynamic (fixed while the system is still online
and running). The other axis indicates whether
they’re either disruptive (interrupting normal
operations) or non-disruptive.
This matrix leaves incident responders with
four choices:
DYNAMIC, NON-
DISRUPTIVE CHANGE.
This is ideal, keeping every system up
and running and business humming
along as normal. A typical example is
killing a malicious process and removing
files from an infected system while it’s
still running.
STATIC, NON-
DISRUPTIVE CHANGE.
With this choice, some systems are
taken offline, but operations continue
infected system offline and reimaging it
is one example.
17
WHITEPAPER
The goal of an adaptive strategy is dynamic,
non-disruptive resolution. With the wealth of
information curated for detection, prevention,
and analysis, security teams have information
from networks, content repositories, and
endpoints at their fingertips for a pinpoint
response. An adaptive approach can’t automate
the response itself. But it can automate the
requisite information gathering, help direct the
process to stop attacks sooner, and avoid the
most severe damage and disruption.
The benefit is reciprocal: information gathered
while resolving an issue can, in turn, bolster
detection, prevention, and analysis with newly
gleaned intelligence.
DYNAMIC,
DISRUPTIVE CHANGE.
With this choice, systems continue
running, but resolution may briefly
interrupt work. An example is requiring
an enterprise-wide password reset.
STATIC, DISRUPTIVE
CHANGE.
Most organizations avoid this choice if
they can. It amounts to taking the whole
organization offline and reimaging the
entire IT infrastructure. Entire systems
are down—irritating customers, grinding
business to a halt, and ravaging the
bottom line.
Security Reimagined, Part II: Building out an Adaptive Infrastructure
CONCLUSION AND
RECOMMENDATIONS
W
e’ve described a new model to
transform the way you prevent,
detect, analyze, and resolve new
threats. But like Cummings, Westinghouse, Ford,
and so many others knew, reimagining the status
quo is only a starting point. Now we’ll describe
what an adaptive approach looks like in practical
terms—and how to begin building one.
An adaptive approach incorporates several layers
of defense. Unlike most defense-in-depth
deployments today (which, as explained in Part I,
are really “defense in shallow”), an adaptive
posture uses multiple layers of defenses that
complement but don’t duplicate each other.
In other words, each layer should both slow an
attacker’s momentum, equip security teams to
more quickly contain and resolve attacks, or
ideally, both. Conventional defense-in-depth
deployments use similar signature-based
detection at every layer. An attacker that can get
past one layer of signature-based defense—
because no signature yet exists for the tools used
in that attack—has a good chance of getting past
all of them.
In an adaptive architecture, one layer of defense
might fail, but the others remain intact.
18
WHITEPAPER
BUILDING AN ADAPTIVE
APPROACH, LAYER BY LAYER
For a true multi-layered defense, FireEye
recommends the following:
• A signature layer. This tier handles
commodity malware and known patterns of
attack. This layer frees up your advanced
layers to focus on new and unknown threats.
• A layer with advanced threat detection
technology. This layer might use virtual-
machine analysis and heuristic techniques to
detect and sometimes automatically block
attacks that signature-based tools miss.
• A layer with network forensics and
advanced endpoint capabilities. Network
forensics products should provide a “single
pane of glass” to easily see activity from the
perimeter, internal network streams, and
endpoint activity. The idea isn’t to spawn
more useless data, but to get an end-to-end
narrative. Security teams should be able to
retrieve data from specific endpoints and get
a live response to queries. They should have a
full, bit-by-bit record of endpoint activity
when needed. And they should be able to
contain and fix problems wherever the
endpoint is.
• An intelligence layer that provides
information on specific attackers. This layer
should reveal attackers’ motives, what they’re
after, what tools they use, and how their
attacks unfold. Armed with those details,
security teams can more closely monitor
specific threat vectors. They can look for
telltale markers and bolster defenses around
the assets most at risk.
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

Threat Intel (Strategic, Tactical)

Analyze and Respond
Network Forensics and Endpoint Live Response
Narrative-Based Response
Advanced Threat Protection (Signature-Less)
Detect and Prevent
Signature Based Detection

The tightly integrated layers of an adaptive architecture

The more tightly integrated these tools are, the
more powerful they become. A solution that can
monitor email and web traffic together, for
instance, can see multi-vector attacks that
individual tools might miss. And a full picture of
endpoint activity helps security teams detect
threats faster, and quickly isolate and fix breached
systems to prevent lasting harm.
INVESTING WISELY FOR THE FUTURE
By definition, every budget has limits. A truly
adaptive strategy recognizes those spending
constraints and works within them. Though an
adaptive approach may require new tools, it isn’t
about spending more. It’s about getting the best
return on your security investment by directing
spending where it makes the most sense.
By reducing spending on ineffective or redundant
technology, organizations can free up money for
capabilities that make them more nimble and
effective.
To that end, FireEye recommends the following:
• Minimize investment in compliance-
oriented event management tools. For many
organizations, these are must-haves. But
complying with industry or government
guidelines isn’t the same thing as truly
securing your IT assets. Once you have met
the basic requirements, use what you’ve
saved to invest in capabilities that can apply
intelligence, analytics, or both to the security
events these tools generate.
• Trim anti-virus and other signature-based
technology spending to the bare minimum.
Consider free or low cost solutions from
Microsoft and others. Invest the savings in
advanced threat detection and response
capabilities on the endpoint.
• Reevaluate your managed security
services provider (MSSP) if you have one.
Spend less on ineffective or limited services.
Reinvest the savings in a strategic partner
that owns all aspects of the solution—
technology, expertise, and intelligence. Make
sure that provider is a recognized leader in
all three domains.
• Identify metrics to measure the efficacy of
your cyber security plan over time.
Response and resolution times are two key
measures. The effort your team expends to
prevent, detect, analyze, and resolve threats
is another. Map these benchmarks to your
investments in technology, intelligence, and
expertise. And gauge them over time to
assess your architecture. Are your tools
helping reimagine your security strategy—or
rehashing old approaches? Consider your
answer a good starting point.

19
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye,
Inc. All other brands, products, or service names are or may be trademarks or service
marks of their respective owners. WP.SRII.EN-US.092014