Advanced Persistent Threats and Ponemon

Last week the Ponemon Institute announced the results of a survey they did,funded by Netwitness, entitled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States.

I agree with the concerns expressed by Richard Bejtlich in his blog post, Ponemon Institute Misses the Mark, regarding the use of the term “advanced threat” and “Advanced Persistent Threat” (APT). In reality the Ponemon research used the term “advanced threat” to include almost anything including APT. I agree with Richard that Ponemon seems to be creating confusion rather than clarity.

I certainly have no argument with the value of a full packet capture product in the investigation of APTs. Full disclosure, Cymbel is a partner with a competitive full packet capture product manufacturer, Solera Networks. However, I am sensitive to marketing FUD, to which unfortunately our industry is prone. I wrote about the meaning of Advanced Persistent Threats in my personal blog last February. It’s bad enough without conflating it with other serious security threats. Here is the final paragraph of that post:

In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second, the focus is on stealing intellectual property rather than money to advance the adversary’s strategic technical, economic, political, and military goals.

About Cymbel

Specialists in information security. Helping organizations secure their networks and mitigate the risks of modern threats.


  1. Eddie Schwartz says

    Not sure why you feel the need to join the APT Terminology Police, given what your company does. I think we can forgive the Ponemon Institute for making the terminology faux paus with APT or not. Actually, there are many security people who do not have it exactly right, and at the end of the day, who really cares? It’s about improving awareness into what’s hurting organizations today, and combatting advanced threats. Rather than get hung up on terminology, let’s get security experts to increase their awareness and look more closely at their networks for the kind of threats that people obviously aren’t seeing on their networks. Surely your named partner has clearly marketed to this factor as well…or do I need to quote you from the FUD and other “studies” on their Website? The Ponemon study is not FUD, but can serve as a good awareness tool for helping management understand what peer companies are thinking and experiencing. Rather than criticize it because of some pet peeve of Richard’s and other pundits, use it as it is meant to be used, as one data point in building a business case for better network security.

  2. I am “hung up” on terminology because the ends do not justify the means. I am not going to risk my credibility by misusing a term which has a specific meaning. And when I find others doing it, I feel it weakens our industry. The executives who write the checks are skeptical enough as it is. This brings to mind one of my favorite quotes, “The biggest problem with communication is the illusion that it has taken place.”

    Finally, it would be a lot easier to simply admit the mistake, apologize for it, and move on.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.