The very best security teams I have worked with engage in continuous network monitoring and analysis. They capture downloaded executables and detonate them in sandboxed environments to extract key indicators of attack and store those in a library that runs against network traffic to identify ongoing attacks.
It is hard to come by the skill sets needed to do this level of threat defense. Only the largest organizations in aerospace and defense and some large banks are able to justify the level of investment required to maintain such a team. That means that vendors will strive to deliver products that accomplish much of the task. FireEye, Arbor Networks, Trend Micro, and McAfee have been introducing advanced threat detection solutions to productize the labor-intensive activities of a crack threat defense team.
Below the Fortune 500 there is high demand for managed security services that can leverage the knowledge and expertise of security analysts with a broad purview across many clients. Traditional Managed Security Service Providers (MSSP) have not been responsive to new threats. Their business models have been too focused on logging and alerting for compliance purposes.
There are innovators in managed services like eSentire, based in Ontario by supplying their unique eyes-on-glass advanced threat defense service to many Wall Street firms.
Now Cisco, recognizing a significant gap in services provided by traditional MSSPs, has announced a managed threat defense service. It leverages Cisco Advanced Malware Protection (AMP), Sourcefire FirePOWER, and Cisco Cloud Web Security.
This is a remarkably fast evolution and clustering of capabilities from the recent acquisition of Sourcefire. Cisco is disrupting the advanced threat defense industry. It will challenge both the entrenched MSSP firms and the gateway appliance vendors.