2021-10-18T05:38:00Z
Satish Singh - PeerSpot reviewer
Cloud Security Architect at Kyndryl
  • 5
  • 244

What is your recommended cost-effective solution to detect and prevent APT attacks?

Hi community members,

I'm working as a Cloud Security Architect at a Tech Services Company with 10000+ employees.

I'm looking for a security solution to detect and prevent APT attacks. 

Can anyone suggest a good and cost-effective solution? Please explain why would you choose this particular tool or solution.

Thank you!

5
PeerSpot user
5 Answers
reviewer1331706 - PeerSpot reviewer
I&T Design & Execution Reliability Engineering Leader at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
2021-10-26T11:00:50Z
Oct 26, 2021

APT attacks are tough. And as already mentioned, there is no single solution for it. To me, there are two areas that are important to consider protecting. 


1) Attacks from Outside to Inside: An APT attack that is launched and maybe focused on like a DDOS attack to just deny your service.  For this type of attack, you have DDOS solutions, like intrusion detection systems, etc. These systems focus on patterns, that signify unexpected behavior, or traffic. to avoid, firewalls, etc. can block IP addresses. And/or try to change your public IP address and, deflect attacks to different websites. 

2) Attacks from inside: These are attacks, where malware has been installed on computers, servers, etc. within your organization, and essentially open a bridge to an outside. These are more difficult to protect and to find. Since malware can lay dormant for some time before they become active.  Most relevant to prevent these attacks are malware/virus scanners. on systems and on in and outgoing emails. Since a lot of this malware is using default protocols, like HTTP and HTTPS. They are hard to detect between the other normal HTTP traffic. Protecting your laptops, phones, servers inside also requires educating your users, on what to do, and what not to do. 


Cost-effective solutions:


- I am sure there are cheap intrusion detection, firewall, etc. products out their, that you can use. And if get up to date, they might protect you for at least 80%.  The same goes for internal virus scanners and malware scanners. again, some open-source tools, are quite useful. 


However, in the case of an APT, you have to realize that this will normally be a targeted attack, which is planned. Where a hacker or group has analyzed your security for some time. And probably have found a way to attack.  As such, open-source tools will normally not help you enough to be able to mitigate or resolve when such an attack occurs. This will require adaptive tools, to recognize the attack, and run countermeasures. In this case more advanced/commercial software/systems will be necessary. 


You will also need to consider, that besides the tool or software, you will need the resources and knowledge to be able to operate these tools/software. And then there is the maintenance and keeping the systems up to date, which is another requirement to stay ahead of an APT.


So to be cost-effective depends on the budget, knowledge, amount of threat.


The higher the threat, the higher the investment to be protected. 


If budget and knowledge are constrained, or sparse. I would recommend looking at either host your public services/websites, with a cloud provider, that has the necessary security already setup. 


For protecting your office environment. I would recommend checking specialized service companies like Akamai, to have them analyze and advise you on a cost-effective solution to protect you. These types of companies, are security-focused and keep their security systems up to date, and you as a customer informed. To me, if you are a small-sized company are the 2 most effective solutions. 


If you are small enough and the threat and risk are not that high then I would recommend building the expertise, and strat with opensource, default protection tools. E.g for home I have standard opensource IDS deployed, which protects my home fairly well. But then my home has a low threat for an APT type of attacks. 


I hope this helps you.

Search for a product comparison in Network Monitoring Software
Eric Rise - PeerSpot reviewer
Network & Security Engineer at a healthcare company with 51-200 employees
Real User
Top 5
2021-10-25T15:35:58Z
Oct 25, 2021

@Satish Singh,


Thank you for your question it's one that requires deeper thought and understanding of the impacted environment.


Several things you can do is to have an up-to-date IRP (Incident Response Plan) - This plan includes all layers of your organization from top to bottom. Is a living document subject to review and change as needed and everyone involved has a part to play and needs to understand what their part is should an incident happen.


Use products like DNS twist to review third-party run domains that are close to your own domain name. Work with the ISP's/ DNS authorities to remove bunk domains known to attack yours.


Make sure to have a proper email security application or gateway in place. I prefer products like Avanan or Proof Point.


User education is key here. Make sure your user base understands what phishing emails are and how to handle/ report them.


If you need help on the security side of things, partner with an MSP and have access to a NOC or SOC 24/7 that can monitor for threats and respond on your behalf if needed.


Make sure to adopt a least privileged model for user access to PCs, servers, etc... Give users access only to what they need to perform their work.


Split up your networks if possible. Avoid using a flat network where you're unable to lock down a network should malware get inside your network.


Use a strong EDR solution like SentinelOne.

BobenGeorge - PeerSpot reviewer
Sr.Customer Engineer- Projects at a tech services company with 201-500 employees
Real User
Top 5Leaderboard
2021-10-25T13:47:29Z
Oct 25, 2021

When you are considering cost-effectiveness

Hardening perimeter defenses such as firewalls and antivirus are pivot points of preventing APT malware from being installed on your computer systems.


Not sharing account details, recognizing phishing attempts at the first stage, safe web browsing at work.


As per me, no clear-cut solution is effective... it's a mixture of solutions / tools you may use when you are tackling the aftermath... There are solutions like Trend Micro XDR which can trace back but not so cost-effective. 


APT attacks use cutting-edge technology and hacking methods to sneak into a company’s system, So the best thing is Prevention...

    Sergiy Ustenko - PeerSpot reviewer
    Marketing Manager at Idealsoft
    Real User
    Top 5
    2021-10-26T10:26:12Z
    Oct 26, 2021

    Hi, from my side the Deceptive Bytes solution has checked.  My preliminary opinion is -the solution can prevent APT with high efficiency

    Shibu Babuchandran - PeerSpot reviewer
    Regional Manager/ Service Delivery Manager at ASPL INFO Services
    Real User
    ExpertModerator
    2021-10-25T03:49:16Z
    Oct 25, 2021

    Hi @Satish Singh,


    No single solution will 100% protect the environment.


    You need multiple layers of security working together, all the time, in addition to constant network monitoring.


    With that said, there are multiple ways to protect against advanced persistent threats.


    Install a Firewall


    Choosing a firewall is an essential first layer of defense against APT attacks.


    Software firewalls, hardware firewalls, and cloud firewalls are the 3 most common types of firewalls used – any of which will help you prevent advanced persistent threats.


    Enable a Web Application Firewall


    A web application firewall is a useful tool for defeating APT attacks because it can detect and prevent attacks coming from web applications by inspecting HTTP traffic.


    Install an Antivirus


    Up-to-date antivirus programs can detect and prevent a wide range of malware, trojans, and viruses, which APT hackers will use to exploit your system.


    Make sure that your antivirus can access real-time data and detect the newest threats, instead of only being able to recognize well-known malware.


    Implement Intrusion Prevention Systems


    Intrusion prevention systems (IPS) are an essential IT security service that monitors your network for any strange behavior or malicious code and alerts you if any is found.


    This is a powerful tool for recognizing network compromises before they can be exploited.


    Create a Sandboxing Environment


    A sandbox is a secure, virtual environment that allows you to open and run untrusted programs or codes without risking harm to your operating system.


    If a file is found to be infected, you isolate it, remove it, and prevent future infections.


    Install a VPN


    Remote access risks such as an insecure WiFi hotspot, present an easy opportunity for APT hackers to gain initial access to your company’s network.


    A virtual private network (VPN) provides an encrypted “tunnel” that you and your employees can use to access your network without cybercriminals snooping on your activity or gathering your data.


    Enable Email Protection


    Email is one of the most-used and most-effective forms of infiltration.


    Advanced persistent threat protection relies on good software as much as it does on good end-user behavior.


    Enable spam and malware protection for your email applications, and educate your employees on how to identify potentially malicious emails.

    Related Questions
    Shibu Babuchandran - PeerSpot reviewer
    Regional Manager/ Service Delivery Manager at ASPL INFO Services
    Aug 26, 2022
    Hi community, I work as the Regional Manager at a Tech Services company. Currently, I'm exploring open-source Network Analyzer and Network Configuration managers.  Which one would you recommend and why?
    2 out of 4 answers
    Faycal Noushi - PeerSpot reviewer
    CEO/Founder at Zen Networks
    May 10, 2022
    Hello,  For Network Analyzer, you can use Elastiflow. It's pretty complete even though its development has stopped lately (we have recently deployed it in production for a customer). It is still just as good as it was a few years ago. For Network Configuration Management, it really depends on the sets of features you're looking for. But, you can use the Ansible & Gitlab combo. We've written a full tutorial for it on our website: https://www.zen-networks.io/ne... Good luck!  
    TS
    CEO at Rufusforyou LLC
    May 11, 2022
    I recommend checking Riverbed, depending on what you need: SNMP, MIB, or Flow. They have many tools available but they are not open source.  
    Evgeny Belenky - PeerSpot reviewer
    Director of Community at PeerSpot (formerly IT Central Station)
    Feb 1, 2022
    Hi SOC analysts and other infosec professionals, Which standard/custom method do you use to decide about the alert severity in your SOC?  Is it possible to avoid being too subjective? How do you fight the "alert fatigue"?
    2 out of 6 answers
    Robert Cheruiyot - PeerSpot reviewer
    IT Security Consultant at Microlan Kenya Limited
    Jan 20, 2022
    Hi @Evgeny Belenky, I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority. But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence.  Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.
    Shibu Babuchandran - PeerSpot reviewer
    Regional Manager/ Service Delivery Manager at ASPL INFO Services
    Jan 20, 2022
    Hi @Evgeny Belenky​, Below are a few strategies if taken into account can reduce cybersecurity alert fatigue in SOC. 1. Threat intelligence 2. Native integration 3. Machine learning 4. Watchlists 5. UEBA (User and Entity Behavior Analytics) 6. Automation
    Related Articles
    Ariel Lindenfeld - PeerSpot reviewer
    Director of Community at PeerSpot
    Aug 21, 2022
    We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
    Abhirup Sarkar - PeerSpot reviewer
    Director, Middle East, East India & SAARC at DMX Technologies
    Aug 26, 2022
    Modern-day servers are robust enough to accommodate as many applications and processes as possible. Still, there is a limit to how much load a server can handle. If your business does not heed the server constraints in time, you are bound to suffer from operational loss due to server downtimes. To closely monitor your server health, you must track specific metrics regularly. Here are some s...
    See 1 comment
    AleksandraWojdyła - PeerSpot reviewer
    Marketing & PR Specialist at AdRem Software
    Aug 26, 2022
    Collecting as many metrics, statuses, and logs about the servers is indeed the first step, you never know what data you will need to solve a particular problem. The second step is to process and correctly pinpoint where the network performance/behavior differs from the expected range/baseline.  Can your network monitoring software automate the obvious (execute remote corrective actions in response to alerts) and notify the IT person about only critical situations where the human needs to make a decision about the resolution options? We expect the network monitoring software today to do just that.  I would say NetCrunch can do it, but do you have any experience with other monitoring products that provide a similar type of monitoring experience for IT teams?
    Netanya Carmi - PeerSpot reviewer
    Content Manager at PeerSpot (formerly IT Central Station)
    May 2, 2022
    PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 8 Network Monitoring Software Tools ...
    Related Articles
    Ariel Lindenfeld - PeerSpot reviewer
    Director of Community at PeerSpot
    Aug 21, 2022
    PeerSpot User's Choice Award 2022
    We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
    Abhirup Sarkar - PeerSpot reviewer
    Director, Middle East, East India & SAARC at DMX Technologies
    Aug 26, 2022
    7 Most Important Metrics of Server Monitoring Software
    Modern-day servers are robust enough to accommodate as many applications and processes as possibl...
    Download Free Report
    Download our free Threat Intelligence Platforms Report and find out what your peers are saying about CrowdStrike, NetWitness, Recorded Future, and more! Updated: October 2022.
    DOWNLOAD NOW
    653,522 professionals have used our research since 2012.