021
ENTERPRISE SECURITY BLUEPRINT
CONTROL LAYER
02
Control Layer
Threat
Prevention
Threat
Intelligence
Security
Policy
Access
Control
Data
Protection
Figure 2-a: SDP Control Layer
Threat Prevention
Threat prevention protections block attackers and deny exploitation of vulnerabilities and
delivery of malicious payloads. The threat prevention policy is simple: “All threats should
be prevented.” This policy requires little customization from individual corporations, but
rather is generic and should be applied across all organizations.
Threat prevention protections can be divided into two groups: pre-infection and post-
infection. Pre-infection protections provide proactive detection and prevention of threats
that try to exploit vulnerabilities in internal applications and protocols or attempt to
deny service to authorized applications. Post-infection protections provide agile defenses
that detect, contain and disarm threats after they have successfully subverted one or more
network entities. These protections curtail the spread of malware and block bot connections
to C&C servers.
In some cases, a single security finding provides low confidence in the existence of a threat.
The threat prevention component of the Control Layer correlates findings from multiple
engines – signatures, reputation, behavior, malware emulation and human validation – to
gain a higher level of confidence. In addition the Control Layer can use external resources
to generate meaningful security protection.
For threat prevention controls to be effective, they need to be fed by extensive and reliable
threat intelligence. Organizations should expect a steady stream of threat intelligence to
pour into their security environment without requiring manual intervention.
Threat prevention
is applied
generically
across all
organizations
Threat prevention
protections can
be divided into
pre-infection and
post-infection
SDP Control Layer
Figure 2-A
