Integration is Key to Bringing Security Teams, Processes and Technology Together
I’m going to go out on a limb here and say that if you’re reading this article, chances are you’re into technology. At home, this may show up in the type of sound system you have or home automation solution. In either case, you have probably done extensive research and devised a solution comprised of components from various manufacturers that you feel are best suited to meet your needs. A CD player, turntable, tuner, receiver, amplifier and speakers. Or a smart hub (like Amazon Echo or Google Home), thermostat, cameras, door locks, flood lights, smart appliances, smart TVs, and the list goes on. You likely assembled these solutions over time and will continue to add more devices, expecting them to interoperate seamlessly to deliver as promised.
It’s quite similar to the environment in which we operate as security professionals every day. Most organizations have a complex security infrastructure that consists of multiple products from multiple vendors to create layers of defense, including firewalls, IPS/IDS, routers, web and email security, and endpoint detection and response solutions. We have SIEMs and other tools that house internal threat and event data – ticketing systems, log management repositories, case management systems.
In the past couple of years, we’ve seen a movement towards Security Orchestration, Automation and Response (SOAR) platforms and tools. Specifically, orchestration and automation tools that define playbooks and processes, or threat intelligence platforms that act as a central repository to aggregate and enrich vast amounts of internal threat and event data with external, global threat intelligence for context so that you can understand and prioritize it for action. Regardless of the type of platform, integration is key to bringing security teams, processes and technology together within the construct of a single security architecture to drive efficiency and effectiveness, eliminating repetitive tasks so that analysts are free to focus on higher priority activities.
A single security architecture requires bi-directional integration. Relevant, prioritized threat intelligence must flow through all systems, playbooks and processes so that automation is based on the right data. And systems and tools must feed data, events and what has been captured, back to the central repository for use in other systems. This central repository also serves as organizational memory for learning and improvement.
More recently, we’re seeing the emergence of XDR solutions that ESG defines as, “An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.” There are even more challenges here because no organization is starting with a clean slate; there is existing infrastructure and the appetite to rip and replace is low. What’s more, different departments with different budgets and teams are using different solutions, so the decision-making process to move forward with a single vendor solution will be a labyrinth, at best.
An XDR solution can’t just integrate within its own set of products. It must integrate with a range of existing tools and technologies for a certain period of time, which could be several years. As with SOAR tools, this integration must be bi-directional to reap the full value from the XDR solution. What’s more, time will tell if XDR solution providers will be able to maintain the level of innovation of best-in-class solution providers who focus their resources to address specific use cases, new types of threats and emerging threat vectors.
A case in point, in response to threat activity around COVID-19, many commercial threat intelligence providers, governments, open source feeds and frameworks like MITRE ATT&CK are providing valuable threat and outbreak-specific data. Consuming all this data is a real challenge, especially since many of the sources are new and no ready-made connectors exist to plug these feeds into existing security infrastructure. Organizations don’t have teams of analysts sitting idle and available to manually sift through numerous, new sources and massive volumes of indicators and operationalize them. What’s needed are custom connectors to any type of threat intelligence feed that can be written and deployed within hours so organizations can begin ingesting threat data from new sources quickly. Any all-in-one enterprise system needs that level of external integration capability as well.
Don’t get me wrong. As I have written about before, complexity is the enemy of security and a defense-in-depth approach brings complexity due to fragmentation. But bigger, broader solutions can’t solve this alone. Integration needs to play a role to maximize overall efficiency and effectiveness. Just as you’ve seen if you’ve committed to Amazon Echo or Google Home, they both have their sweet spots but need to be open and flexible because even they shouldn’t try to do it all.