In today’s high-risk IT environment, there’s no such thing as too much security, right? Well, that depends. As with anything in life, the devil is in the details. As organizations continue to expand their arsenal of security products in an effort to strengthen protections against advanced threats, they often introduce complexity. Adding technology only results in better security when multiple threat protections perform as a connected, integrated system and when security teams trust their automated security processes.
Human Nature: The Overriding Threat
The human factor has always posed a formidable challenge in maintaining enterprise security. IT teams educate end users about the risks of phishing and social engineering attacks that can put the enterprise at risk with one seemingly innocuous mouse-click. However, end users are not the only serious threat: Security teams themselves are becoming the weak link by overriding automated security processes.
Let’s look at why this problem persists and what can be done about it.
Disabled Features
IT personnel have their reasons for disabling security features. I’ve written about this risky practice in a previous SecurityWeek column. Some systems generate too many false-positive events. Performance impact is another common reason for turning off features as an underpowered solution may create network throughput issues. Additionally, IT staff may extend deployment timeframes to validate a new tool’s detection effectiveness.
It’s human nature to want to verify the existence of malware before initiating action. However, today’s incredible number of security events and alerts can quickly overwhelm a human’s ability to effectively manage risks, resulting in:
Information Overload. While security events and alerts generated by an organization’s multiple security solutions can vary widely, it’s not uncommon for some security products to flag upwards of 10 events per second (which is more than 850,000 events per day). More security solutions and more alerts mean more work. Dealing with volumes like these become futile without the use of automated security polices and processes.
Analysis Paralysis. While risk analysis solutions can offer significant detection enhancements, simply adding a new technology may not improve a security posture. Is the risk real? Does it pose an imminent danger? Does it require in-depth forensic analysis? Without an integrated security solution, you may need to jump between multiple security product consoles to get answers. All the while, the clock keeps ticking and suspect events continue to pile up.
Achieving Connected Security
Avoiding a security disconnect starts with intelligent, integrated solutions that work together to foil today’s advanced threats. Here are three considerations that can help you achieve connected security.
1) Choose an Intrusion Prevention System (IPS) that Connects the Dots and Takes Corrective Action. Today’s best IPS solutions integrate security data from across the organization in the blink of an eye, placing security events and alerts in context. They share contextual information between components and include sophisticated detection engines including signatureless capabilities. Choose a system that is smart enough to perform deep inspection of network traffic, block threats, and take corrective action as needed without delay.
2) Choose Security Components that Work Well with Others. It’s hard to overstate the importance of integration. True integration is more than just a buzz phrase—it involves sharing real-time threat data, workflows, device details, user and application information, vulnerability assessments, and more among security components. For example, does your IPS share risk and correlation data with your SIEM, firewalls, and your enterprise security console? It should. Jumping between security consoles is not only time-consuming; it introduces opportunities for human error. You need a global view of risk and compliance, with data and workflows that feed into one central console—regardless of the security components’ manufacturer.
3) Layer Wisely. Sandboxing is a powerful tool that helps you expand threat detection to include unknown files and code. But once again, more alerts mean more work. Alerts that lack context and action may be overlooked, resulting in dire consequences. Sandboxes must be integrated into the security infrastructure. Rather than yet another stand-alone, alert-producing device, they must be an extension of the existing detection and protection arsenal, feeding critical threat data to solutions that can take immediate action.
Integration is often discussed in the context of increasing security management efficiency—which is true. However, marginal integration is a major cause of disconnected security. Intelligent integration must extend across your network and include your sandbox to avoid alert-overload and ultimately reduce risk.