Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Security Architecture: The Inherent Value of Transparency and Diagnostics

Bringing Security Architecture Out of the Darkness and Into the Light

Bringing Security Architecture Out of the Darkness and Into the Light

The huge challenge presented by today’s attack campaigns – multi-stage attacks, with thousands of constantly evolving attack vectors – have led organizations to buy hundreds of security products in order to defend their networks.  As exciting new technologies arise – advanced network and end point, antimalware, network and entity behavioral analysis systems, anti-fraud, deception technologies, EDR systems, threat intelligence feeds, and many more – organizations have been piling on the products.  Suppliers and service providers dangle the fear of repercussions of not having a specific product or service, and becoming vulnerable to this or that attack. The buying spree goes on, and the costs to the organization rise, but the effectiveness of the platform as a whole is often unclear and incomplete, at best. 

At the end of the day, CISOs are finding it very challenging to be able to assess the performance of the security products in their organization’s arsenal.  Which product was successful in identifying, or mitigating, which attack?  Which product failed to do what it was supposed to and left the organization vulnerable?  Which products were perhaps effective 6 months or a year ago, but have not evolved to be able to address current attacks? Which product was activated in which scenario, and was it the right choice? And maybe the most important question, are the different products able to work together effectively?  

Many CISOs deal with the daily frustrations of not having the answers to these questions. Because their security platform is made up of hundreds of siloed products from dozens (or more) different vendors, it isn’t surprising that chaos ensues.  A CISO may often feel like an army general who commands a battlefield in the dark, trying to catch quick glimpses to see if his troops are heading in the right direction, if the equipment is battle-ready.  This “groping in the dark” is a handicap organizations can ill-afford in today’s tough battle against ever more sophisticated attack campaigns.

Before an organization can consider plans for advanced automation, orchestration and mitigation or remediation, it needs to first understand what it actually holds in its hand.

Shining a light onto the security apparatus is the first step – providing transparency and answers to some very basic questions, including:

• How efficiently are the products in my security architecture doing the job they were bought to do, per the security risk?

• How accurate is each product or service?  

Advertisement. Scroll to continue reading.

• Are the products really meeting my business security compliance requirements (e.g., HIPPA, PCI DSS, etc.)?

• Can I break down my security apparatus and “see” each product’s contribution, and criticality, for the organization in terms of the cyber-kill-chain stages?  

• What would have happened if I had disabled a product?

Once we have the answers to these questions, we are much better equipped to plan the most efficient and effective security posture for the organization.  The positive impact on ROI cannot be overstated.  It is likely that every medium-large organization is paying for dozens of products and services that are redundant, outdated, or underperforming. Transparency and diagnostics can give clear answers, enabling the organization to streamline, prioritize and cut out the unnecessary fat.

An effective diagnostics tool will enable organizations to not only assess the effectiveness of their products after the fact, but to engage in “war room” scenarios in preparation for new attacks. Such a diagnostic system would provide an inference engine that would let you mix & match tools to replay historical attacks (and see how to have better confronted these), or map theoretical future attacks, trying out different defense scenarios and testing the potential effectivity of each.

Here are some feasible approaches that can bring high quality diagnostic results: 

Security Analytics Systems – There are various security analytics solutions today that claim to be able to collect all security events from security tools and “connect the dots” in order to find out if a real attack campaign is on its way – separating noise from real effecting security events.   If these systems could also provide us a break-down of “true” events vs. the noise per each security vendor, this would provide CISOs with the required visibility into tools’ effectiveness. 

Kill-chain Effectiveness – It is an industry fact that some tools are better in certain types of attack vectors and are dysfunctional in others, and this can actually change over time.  Associating the security events each tool generates with the various kill-chain stages can help CISOs understand where each tool can contribute to the organization, then identify gaps and prioritize the tools accordingly.  

Mix-and-match Simulation – One of the “dreams” of any CISO is to be able to simulate ‘what-if’ scenarios that would test various combinations of security tools and vendors, working together in order to detect, investigate and mitigate types of advanced attack campaigns, and be provided with a “quality score”, an index that compares the different tools.  We are not there yet, but the emerging field of security orchestration technologies seem to be on the right track to finally achieving this .  

Transparency, diagnostics, and ongoing evaluation are basic tenants of so many of an organization’s activities today. Analytics lets us know exactly the performance of our online presence – who visited, where from and for how long.  PPC advertising lets us pay for only those leads that reached our doorstep. CRM systems give us full visibility into our sales process, in real-time at any moment. But in the realm of security,
we are still in the dark, paying for dozens of products and services we no longer need, without the ability to measure performance and prioritize.  It’s time we shine a light into our security systems, and bring the knowledge, and the control, back to organizations.  Achieving this goal will mean a streamlined, more effective security apparatus, with vastly improved security ROI. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...