Security teams need an architecture where disparate systems and sources that talk in different languages and use different formats can communicate
In the cybersecurity industry, the more things change, the more they stay the same. We pride ourselves on innovation, however this adage seems like a fitting description for our current cycle of innovation where new tools, solutions and approaches come to market with some new acronym.
We have alphabet soup with terms like SIEM, SOAR, TIP, TDIR and XDR that lead to confusion, not to a path to solve broad security problems.
We keep searching for that silver bullet, but there really is no silver bullet in security. Maybe that is because we keep looking at the challenge of security through the lens of a tool or solution versus the broader picture of getting the pieces to work together in a single architecture.
The bad guys look at the entire playing field. Defenders need to as well.
There are some encouraging signs that this cycle may be ending. We are starting to hear more about architectures, including some new debates on whether an approach should be considered a solution or viewed as an architecture. One recent example is the cybersecurity mesh architecture (CSMA) by Gartner. Gartner states that CSMA provides the foundation for people and machines to connect securely from multiple locations across hybrid and multicloud environments, channels, and diverse generations of applications, protecting all the organization’s digital assets. Sounds like exactly what is needed in today’s increasingly cloud-based world. But what is it going to take to correlate the identities of people with something that happened in the SIEM or on the network or to correlate machine identity with email or another cloud application?
What is needed is an architecture where disparate systems and sources that talk in different languages and use different formats can communicate. Sounds similar to other recent concepts, especially the evolution of Extended Detection and Response (XDR) and, before that, to Security Orchestration Automation and Response (SOAR).
The promise of XDR is to enable detection and response across the enterprise, which requires ALL tools and ALL teams working in concert. Chasing the newest acronym, vendors were quick to jump on the bandwagon and recast their tools as XDR solutions. But whether a vendor proposes a closed ecosystem or an approach where they start with a core capability and build from there, the universal truth is that organizations have tools from multiple providers, and the appetite to rip and replace is low in the near-term. Not to mention the fact that new vendors and solutions will continue to emerge given the ongoing innovation required to keep up with new use cases, threats and threat vectors. This has led to a debate on whether XDR is a solution or really an architectural approach whereby open interoperability between existing security technologies and new capabilities enables detection and response across the enterprise.
Prior to XDR, when the SOAR product category emerged, we had a similar discussion. Over time, organizations began to realize that to be effective SOAR couldn’t be about just running the same processes over and over again.
Detection and response are dynamic and variable. So, automation must be based on data that is relevant to the organization in order to trigger the right processes. And orchestration requires that actions be taken immediately and automatically through the right tools in use in their environment.
Closing the loop, continuous capture of feedback and learnings from the action taken should be used to inform the process and improve future response. It became evident that interoperability with other tools and technologies is a key enabler of SOAR.
Breaking the cycle with open interoperability
Even though things have changed—from SOAR to XDR to CSMA—they have also stayed the same. These new categories are not solutions but really architectures. At least CSMA is being positioned as an architecture out of the gate, which may keep the industry on a faster path to delivering value. As Gartner states up front, “IT leaders must integrate security tools into a cooperative ecosystem.” But how are security teams going to connect the dots between people and machines across their organization’s environment, including hybrid and multicloud?
To begin with, integration must be broad to cover a range of tools, including all internal data sources – the SIEM system, log management repository, identity management, endpoint, network, case management system and other security infrastructure – on premise and in the cloud. It must also integrate with the multiple external data sources organizations subscribe to – commercial, open source, government, industry and existing security vendors. This requires a combination of out-of-the-box connectors for popular data sources, and custom connectors that can be written and deployed within hours.
Internal and external data aggregation, normalization and correlation allows you to tap into the richness of all available data to get a complete picture of what is going on. This includes contextualizing data with additional intelligence, including internal observations of network activity and file behavior. Pivoting to external data sources to learn more about campaigns, adversaries and their tactics, techniques and procedures (TTPs), allows you to look for associated artifacts in other tools across the enterprise to confirm the scope of malicious activity and identify all impacted systems.
Integration must also be deep to facilitate the translation and exchange of information for action. With the dots connected to reveal a bigger picture of an attack, you can execute a comprehensive and coordinated response, performing actions across multiple systems and sending associated data back to the right tools across your defensive grid immediately and automatically to accelerate response. Blocking threats, updating policies and addressing vulnerabilities happens faster. Deep integration is also bi-directional to include the ability to send data from the response back to a central repository for learning and improvement.
Fortunately, the innovation required for broad and deep integration is available because security interoperability has evolved over the last several years to enable XDR and SOAR. It turns out, we can break the cycle and benefit much more quickly from the improvements in security that change can bring.