Bringing Security Architecture Out of the Darkness and Into the Light
The huge challenge presented by today’s attack campaigns – multi-stage attacks, with thousands of constantly evolving attack vectors – have led organizations to buy hundreds of security products in order to defend their networks. As exciting new technologies arise – advanced network and end point, antimalware, network and entity behavioral analysis systems, anti-fraud, deception technologies, EDR systems, threat intelligence feeds, and many more – organizations have been piling on the products. Suppliers and service providers dangle the fear of repercussions of not having a specific product or service, and becoming vulnerable to this or that attack. The buying spree goes on, and the costs to the organization rise, but the effectiveness of the platform as a whole is often unclear and incomplete, at best.
At the end of the day, CISOs are finding it very challenging to be able to assess the performance of the security products in their organization’s arsenal. Which product was successful in identifying, or mitigating, which attack? Which product failed to do what it was supposed to and left the organization vulnerable? Which products were perhaps effective 6 months or a year ago, but have not evolved to be able to address current attacks? Which product was activated in which scenario, and was it the right choice? And maybe the most important question, are the different products able to work together effectively?
Many CISOs deal with the daily frustrations of not having the answers to these questions. Because their security platform is made up of hundreds of siloed products from dozens (or more) different vendors, it isn’t surprising that chaos ensues. A CISO may often feel like an army general who commands a battlefield in the dark, trying to catch quick glimpses to see if his troops are heading in the right direction, if the equipment is battle-ready. This “groping in the dark” is a handicap organizations can ill-afford in today’s tough battle against ever more sophisticated attack campaigns.
Before an organization can consider plans for advanced automation, orchestration and mitigation or remediation, it needs to first understand what it actually holds in its hand.
Shining a light onto the security apparatus is the first step – providing transparency and answers to some very basic questions, including:
• How efficiently are the products in my security architecture doing the job they were bought to do, per the security risk?
• How accurate is each product or service?
• Are the products really meeting my business security compliance requirements (e.g., HIPPA, PCI DSS, etc.)?
• Can I break down my security apparatus and “see” each product’s contribution, and criticality, for the organization in terms of the cyber-kill-chain stages?
• What would have happened if I had disabled a product?
Once we have the answers to these questions, we are much better equipped to plan the most efficient and effective security posture for the organization. The positive impact on ROI cannot be overstated. It is likely that every medium-large organization is paying for dozens of products and services that are redundant, outdated, or underperforming. Transparency and diagnostics can give clear answers, enabling the organization to streamline, prioritize and cut out the unnecessary fat.
An effective diagnostics tool will enable organizations to not only assess the effectiveness of their products after the fact, but to engage in “war room” scenarios in preparation for new attacks. Such a diagnostic system would provide an inference engine that would let you mix & match tools to replay historical attacks (and see how to have better confronted these), or map theoretical future attacks, trying out different defense scenarios and testing the potential effectivity of each.
Here are some feasible approaches that can bring high quality diagnostic results:
• Security Analytics Systems – There are various security analytics solutions today that claim to be able to collect all security events from security tools and “connect the dots” in order to find out if a real attack campaign is on its way – separating noise from real effecting security events. If these systems could also provide us a break-down of “true” events vs. the noise per each security vendor, this would provide CISOs with the required visibility into tools’ effectiveness.
• Kill-chain Effectiveness – It is an industry fact that some tools are better in certain types of attack vectors and are dysfunctional in others, and this can actually change over time. Associating the security events each tool generates with the various kill-chain stages can help CISOs understand where each tool can contribute to the organization, then identify gaps and prioritize the tools accordingly.
• Mix-and-match Simulation – One of the “dreams” of any CISO is to be able to simulate ‘what-if’ scenarios that would test various combinations of security tools and vendors, working together in order to detect, investigate and mitigate types of advanced attack campaigns, and be provided with a “quality score”, an index that compares the different tools. We are not there yet, but the emerging field of security orchestration technologies seem to be on the right track to finally achieving this .
Transparency, diagnostics, and ongoing evaluation are basic tenants of so many of an organization’s activities today. Analytics lets us know exactly the performance of our online presence – who visited, where from and for how long. PPC advertising lets us pay for only those leads that reached our doorstep. CRM systems give us full visibility into our sales process, in real-time at any moment. But in the realm of security,
we are still in the dark, paying for dozens of products and services we no longer need, without the ability to measure performance and prioritize. It’s time we shine a light into our security systems, and bring the knowledge, and the control, back to organizations. Achieving this goal will mean a streamlined, more effective security apparatus, with vastly improved security ROI.