Scott Paly, co-founder and CEO for Global DataGuard (, says:

Industry analysts define an Advanced Persistent Threat (APT) as any attack that gets past a company’s existing defenses, goes undetected for long periods and continues to cause damage. These long-term patterns of targeted, sophisticated hacking often use spear-phishing, social engineering, and zero-day exploits on endpoint applications as a means gain initial access.

Once access has been achieved, an attacker can establish a back door, gather valid user credentials and move laterally across a network, installing more back doors and bogus utilities, and creating a ‘ghost infrastructure’ that allows for the distribution of malware which can remain hidden ‘in plain sight.’ To maintain access without discovery, a hacker continuously rewrites code and employs sophisticated evasion maneuvers. APTs can span weeks, months, and years because cybercriminals are intentionally spacing out reconnaissance activity to avoid detection.

For the majority of Advanced Persistent Threats, the intention is to steal data rather than cause damage to a network. Organizations in high-value information sectors such as national defense, manufacturing and financial are prime targets for this type of attack. Companies such as Google, Yahoo, Symantec, Adobe, Northrop Grumman, Dow Chemical, Juniper Networks, RSA, and Oakridge Labs have all become victims of APTs this year.

The IT Security Challenge

Despite a substantial increase in IT security spending in 2011 – up 4.5 percent from 2010 – more than 800 data breaches have been investigated so far this year. More than 90 percent of recent data breaches took days, weeks, and months to discover. Another 5% took years to uncover. How is this possible?

In part, it’s because APTs are complex systems that mix specialized utilities and human behavior. Since systems engineers like to divide and conquer in order to work on complex systems at a more manageable level, hackers use evasion techniques that avoid common behaviors. Additionally, systems engineers like to study the behavior of the elements in order to understand the behavior of the system through reconstruction. This approach, however, is not valid when dealing with non-linear (or complex) systems, and the developers of APTs know this and use it to their advantage.

It’s also because most security products on the market today do not retain and correlate suspicious traffic for more than a few minutes, so they cannot detect reconnaissance activity leading up to an attack – before a breach occurs – nor do they have the historical context or depth of analysis to detect a breach after it occurs. Because nearly all network security technology is reactive in nature and comprised of disparate applications and appliances, it is virtually impossible to track the type of low-level network activity that occurs over long periods and may be an indicator of an Advanced Persistent Threat.

Emergent Behavior Technology Can Track Very Low-level Network Activity that May Indicate an APT

Although APTs are difficult to identify, the theft of data can never be completely invisible. So, how do IT managers proactively protect their networks against Advanced Persistent Threats? The most effective method is the use of emergent behavior technology within a behavioral-based unified security system to more accurately determine very small changes within complex network relationships that may be indicators of an APT.

Based on the science of systems theory, emergence is the way complex systems and patterns arise out of a multiplicity of relatively simple interactions. Therefore, emergent behavior is that which cannot be predicted through analysis at any level simpler than that of the system as a whole, rendering traditional anomaly detection methods impotent. In other words, emergent behavior is what’s left after everything else in a complex system has been explained.

Global DataGuard’s emergent behavior technology uses advanced pattern matching across distributed systems to examine the network as a whole and identify bit level changes that are unique to each network. In this way, Global DataGuard’s security system can view the entire network as a ‘flow of bits’ that can be used to find unusual or altered operation of lower-level systems that may indicate an APT. This advanced technology provides the capability of overcoming some of the limitations of signature and anomaly detection methods.”

Emergent behavior is a technology ‘next step’ for the security industry, and it provides significant performance enhancements to Global DataGuard’s network behavior analysis-based UES system, which can perform predictive analysis by retaining and correlating suspicious raw packet data for a rolling 14-30 days and signature alerts and behavioral profiles for six months or longer.

Global DataGuard’s unified approach to security enables true subsystem integration of core security applications – network behavior analysis and correlation; intrusion detection and prevention; vulnerability scanning and management; log management, analysis and monitoring; network access and policy monitoring; and comprehensive threat management for prioritized network, global and vendor threats and vulnerabilities – providing early warnings of security threats that other products may not detect.

Global DataGuard’s adaptive, predictive, architecture-based security system can also provide IT managers and their staff with easier deployment and management of their company’s network security ecosystem, as well as greater efficiency in labor and detection ability, while offering lower acquisition costs than discrete security solutions.