Security Teams Need the Ability to Launch a Coordinated and Consistent Response to Threats Using a Variety of Tools
The distribution of today’s networks, driven initially by digital innovation and accelerated by the recent rapid transition to work from home, has had a significant impact on security. Universal access to any application or connected resource, from any location, on any device sounds like a great idea. In practice, however, it creates challenges that few organizations have been able to manage. Security teams that used to only manage the core network, with perhaps a few branch offices and “road warrior” remote sales teams sprinkled in, have had to transition to managing a sprawling network spanning multiple clouds and SaaS applications, growing numbers of branch offices with new SD-WAN connections, distributed IoT devices, IT/OT convergence, mobile workers and devices, and now, dozens or even hundreds of home offices.
In many organizations, much of this change has happened ad hoc, without a central security plan or strategy. As new network environments have been adopted, IT teams have deployed different security solutions for each new segment of the network. But regardless of the reason why, IT teams now have an average of 45 security solutions deployed across their networks, according to IBM. Rather than enhancing security, this level of vendor and solution sprawl actually diminishes their ability to not only detect, but also defend against active attacks. Many of these are point solutions operating in isolation and do not share or correlate threat intelligence or participate in coordinated threat responses with other solutions in the same segment of the network, let alone across disparate environments. Worse, there is no way to centrally manage and orchestrate policy distribution, ensure consistent enforcement, or centralize configurations.
Addressing this issue needs to be a top priority for organizations, not just to address their current challenges, but to prepare for the changes just over the horizon. Networks stuffed with isolated security devices that struggle to just keep up with application performance requirements and dynamic networks will absolutely freeze when faced with things like distributed clouds, extreme edge computing, and smart environments. The best way forward is to start with a two-pronged approach focused on consolidation and collaboration.
Consolidation requires a broad security platform
To address these issues impacting visibility, consistency, control, and response, many organizations have undertaken consolidation efforts to reduce the number of vendors and solutions deployed in their networks. But consolidation is a difficult proposition. It’s not about just reducing the number of vendors you are trying to manage, but selecting the right vendors – those solutions designed to enable and enhance the functionality of the solutions in place.
The top consideration needs to be interoperability between the solutions that remain in place. Security tools, regardless of where they have been deployed, need to be able leverage common security intelligence feeds and share alerts and threat data with other security tools. Security managers and data analysts need a common source of threat intelligence so they can quickly correlate threat intelligence from across the network to quickly identify threats. And a security response needs to be able to launch a coordinated and consistent response to detected threats using a variety of security solutions deployed across the network.
The easiest and most effective way to make this happen is to build a common security framework using an integrated security platform. Such a platform needs to have the following characteristics.
• Deployable everywhere – For security to be effective, it needs to support and protect business operations, applications, users, and devices regardless of where they occur. A security platform needs to be deployable in any environment, from traditional workspaces to industrial environments. It needs to be available in any form factor, from high-performance appliances, to desktop devices, to VMs and software applications, to running inside containers to support custom applications.
• Supports every edge – A platform also needs to support any edge, including data centers, LANs, SD-WAN deployments, OT, IoT networks, desktops, private clouds, as well as run natively in every public cloud environment. And given the recent transition to work from home, it also needs to be deployable in the cloud as a service to protect home offices and off-network workers.
• Built around tested and validated solutions – One of the other challenges in selecting a platform is that not every solution bundled together in that solution is world class. You may get a good firewall, for example, but it may be packaged with a mediocre IPS system, AV solution, or sub-par sandbox. The easiest way to determine if a platform bundle is going to provide the level of security you need is to check if its critical solutions have been individually tested, reviewed, and ranked by third parties.
• Leverages a common operating system – Individual solution validation is only part of the story. Those solutions also need to work together as a single system. Unfortunately, many platforms are little more than individual point products wrapped together under a common shell. Often, each solution still requires its own management and configuration interface. What these solutions need is a common operating system that enables each solution to work together as a fully integrated system
A platform only addresses part of the challenge. There will always be security elements that do not function natively in a common platform. This is why it is absolutely essential to also select solutions built using common standards and APIs. This ensures that threat feeds can be consumed consistently, threat intelligence can be freely shared, and threat responses can be launched anywhere across the network leveraging every security tool available.
For essential solutions that cannot be easily integrated into the larger security framework, there are other options. Larger enterprises with mature operations often adopt a SOAR (Security Orchestration, Automation and Response) solution to coordinate their distributed security system through their SOC and NOC environments. Others rely on SIEM technologies to gather intelligence and coordinate responses across disparate solutions. And organizations with a less mature IT infrastructure can now leverage XDR (eXtended Detection and Response) solutions to facilitate coordination.
In each of these, however, solutions work best when coordination between deployed security devices and platforms and the SOAR/SIEM/XDR solution is built into the system. This can range from using open APIs and common standards to accelerate and facilitate information gathering and response functions, to leveraging the same operating system to enhance interoperability even further.
First things first
Of course, these are only a few of the standards organizations need to consider when trying to reduce the complexity of their networks and prepare for the next wave of digital innovation. Things like performance, especially under heavy processing loads such as inspecting encrypted traffic, integration of AI to enhance detection, analysis, and response functions, and automation to enable security to respond to cyber events at digital speeds are all essential components. But none of those will be nearly as valuable until an effective consolidation and collaboration strategy is in place.