Integrated Threat Defense Provides Better and Faster Protection
Over the holidays, as I watched the movie Guardians of the Galaxy with my kids, it struck me that times have changed when it comes to fighting the bad guys. Sure we still see Batman, Spiderman, Superman, even the Lone Ranger, in movies. But in today’s real blockbusters super heroes are joining forces, combining their complementary superpowers in the universal quest for good over evil. X Men: Days of Future Past was another big hit in 2014 based on the premise of ‘strength in numbers’ and Avengers: Age of Ultron will carry it forward in 2015 and is sure to be wildly popular, like its predecessor.
It got me thinking that we need to look seriously at what it means to join forces to more effectively combat and defeat the bad guys from a cybersecurity perspective – not only from an industry standpoint, but also from a technology standpoint.
The threat landscape is ever evolving and always advancing with tailor-made, stealthy threats that evade traditional, point-in-time security defenses. Instead of relying on a single attack vector, an advanced attack will use whatever unprotected paths exist, often combining paths in a blended method, to reach its target and accomplish its mission. Cyber criminals go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible Indications of Compromise (IoCs). At the same time, modern networks are also evolving, extending beyond traditional walls to include public and private data centers, endpoints, virtual machines, mobile devices, and the cloud.
In today’s dynamic IT and threat environment, point-in-time solutions lack the visibility and control defenders need to implement an effective security policy that addresses advanced threats. And disjointed approaches only add to capital and operating costs and administrative complexity.
Converged solutions that combine two or more security functions together on a single platform attempt to address these shortcomings. However, simply consolidating security functions on one appliance is far from adequate. The level of integration, if any, is typically limited to device management and post-event analysis – where data is combined into a single repository (often in a SIEM) for later manual analysis. This visibility and analysis aren’t automatically correlated in real time and made actionable to quickly contain and stop damage, or shared throughout to prevent future attacks. And the data gathered is evaluated only once – a snapshot in time – not continuously, so that we forfeit opportunity to systemically ‘tune’ defenses based on new telemetry and intelligence.
It should come as no surprise then that for the last few years the Verizon Data Breach Investigations Report has revealed that most breaches are found by law enforcement and other third parties – not by the breached organizations themselves. To make security investments more effective, what’s needed is a comprehensive approach with tightly integrated threat defense across the extended network and the entire attack continuum – before, during, and after an attack.
A tightly-integrated threat defense system stands apart because it facilitates sharing of ‘context’ and intelligence between security functions in a way that immediately informs the whole and speeds detection and remediation. For example, suspect malware observed on an endpoint could help to automatically initiate further inspection from network sensors. There could be a multitude of possible further actions, including restricting privileges for involved hosts within the suspect file’s path, until they can be inoculated.
Each security function must be tightly integrated for truly effective multi-layered protection against the full spectrum of attacks – including known and unknown attacks. This is done by gathering telemetry data across the extended network and encompassing all attack vectors for full contextual awareness, and then analyzing it continually to surface IoCs that would otherwise go unnoticed. With these IoCs, we can prioritize events and stop threats sooner, hopefully before much damage is done, essentially providing an ‘early warning system’ for unknown cyberattacks.
Integrated threat defense provides better and faster protection at multi-gigabit speeds – before you have a known signature, before valuable data is stolen, and before a third party discovers and alerts you to the breach. And it does so while simplifying an organization’s security architecture with fewer security devices to manage and deploy. By gaining full contextual awareness that is continuously updated, defenders can assess all threats, correlate intelligence, and optimize defenses.
There are other aspects of joining forces, besides integrating security functions. At the industry level, open source is a valuable tool for defenders as they rapidly innovate to close security gaps and gather great intelligence about potential threats. New open standards and efforts to create, share, and implement custom application detection and custom IoCs empower defenders to further reduce the attack surface and better identify anomalous behavior. The ability to share real-time threat intelligence and protection across a community of users is another prime example of working together for greater security effectiveness.
Attacks will continue to evolve as will our IT environments. Integrated threat defense is a dynamic foundation that allows us to include an expanding list of super heroes that work in concert, sharing their findings to protect across more threat vectors and thwart more attacks.