Many enterprises have been taking stock of their security architecture as well as assessing gaps and redundancies (see last month’s article Wading Through Tool Overload and Redundancy?). Sometimes it is the result of a post breach investigation, and the post investigation finger pointing. Sometimes it is due to new management taking stock of the company’s risk exposure. Sometimes it is a financially driven exercise to better understand budgets and bang for the buck. Regardless of the motivation, what many are finding is that they don’t really have an architecture so much as a bunch of disparate parts sitting in silos across the environment. Looking back at it all, CISOs may wonder how they got there, but hindsight is always 20/20.
The parts in question were likely procured with the best of intentions, to serve a purpose at some point in time, from the prevalent vendor in that space. It is a good practice to take a step back every now and then and refactor your environment, making sure the various technologies and processes are up to the current day’s challenges and those of the foreseeable future.
The typically fragmented “best of breed” security architecture of many large enterprises results in protective gaps, vendor management challenges and finger pointing. The gaps are not necessarily the result of going with the wrong tool or vendor in a space. The best point solutions will be hard pressed to protect the business in today’s complex, multi-channel mobile and cloud driven environment. It means coordinating policies, alerts and analysis across multiple tools that often sit in siloes and don’t talk to each other. Securely supporting today’s business demand for the ability to access and share data and applications across organizational and geographic boundaries, requires a coordinated and synchronized approach. Siloes will not suffice.
In a typical enterprise, you will find tools like data loss prevention (DLP), cloud access security brokers (CASB), data encryption, data tagging, web proxy, firewalls, endpoint protection, endpoint detection and response, and on and on… The challenge of defining, managing and using policies across all those tools, and responding to it all, has typically resulted in minimal policy sets, missed alarms and lost data and systems. The industry initially tried to create this glue via SIEM tools, followed by orchestration tools. However, while these tools serve important functions, they have not filled the need to bring the various point solutions together into a comprehensive platform. Using SIEM and orchestration tools as the glue that binds often just adds more complexity into the environment.
What has been recognized by many is the need to shift from a function/product perspective to that of a platform. That may sound like vendor speak, but regardless of what you call it, purchasing a set of tools that “play together nicely in the sandbox” has many benefits that can trump any specific bell or whistle that an isolated best of breed tool can provide. The goal is functional integration of the tools in the environment for blocking and alerting, combined with cyber risk analytics connecting the dots across user behavior, indicators of attack/compromise and threat intelligence, that can take action via an orchestration tool. For example, integrating policies and alerts across DLP and CASB increases the chances that you will stop data from leaving the organization across internal and cloud data communication applications. Reducing complexity also increases the chances of these tools actually being deployed effectively vs partial rollouts and minimal policies in each tool.
Using analytics to identify the malicious insider that is trying to exfiltrate data across those channels, or perhaps a coordinated communication with a known dangerous destination indicating a compromised account, helps ensure you are using the information at your disposal to minimize your cyber risk. For example, connecting the dots between proxy data indicating potential phishing activities, blocked DLP events to known malicious destinations, and indicators of attack from endpoint events closes the gaps between those tools and helps organizations stop attacks before they cause damage.
Whether you build your platform by single sourcing from one vendor or by interconnecting multiple vendor platforms, it will not happen overnight. It is a foundational strategy that should be achieved as quickly as possible. Utilizing a central analytics platform as the glue to manage across vendor tools and/or through the transition between vendor tools will allow you to retain visibility and protective coverage, while plugging and unplugging the pieces of your platform.