Integrated Threat Defence: Joining Forces to Defend Against Cyber Attacks

Author: Anthony Stitt, General Manager, Security, ANZ at Cisco

Today’s security landscape is constantly changing. Attackers are becoming more sophisticated and nimble, leading to new threats and attacks evolving every day. Tailor-made, stealthy threats now routinely evade traditional, point-in-time security defences by using multiple attack vectors. Further, advanced attacks use whatever unprotected paths exist - often blending paths - to compromise targets. Cyber criminals continue to go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible Indications of Compromise (IoCs). At the same time, the attack surface is increasing because modern networks are evolving, extending beyond traditional walls to include public and private data centres, endpoints, virtual machines, mobile devices, and the cloud.

In today’s dynamic IT and threat environment, point-in-time solutions lack the visibility and control defenders need to implement an effective security policy that addresses advanced threats. In addition, disjointed approaches only add to capital and operating costs, not to mention administrative complexity.

Converged solutions that combine two or more security functions together on a single platform attempt to address these shortcomings. However, simply consolidating security functions on one appliance is far from adequate. The level of integration, if any, is typically limited to device management and post-event analysis – where data is combined into a single repository (often in a SIEM) for later manual analysis. This visibility and analysis are not automatically correlated in real time and made actionable to quickly contain and stop damage, or shared throughout to prevent future attacks. Further, the data gathered is evaluated only once – showing a snapshot in time – missing the opportunity to ‘tune’ defences based on new telemetry and intelligence as it becomes available.

It should come as no surprise then that for the last few years’ research reveals most breaches are found by law enforcement and other third parties – not by the breached organisations themselves. To make security investments more effective, a comprehensive approach with tightly integrated threat defence across the extended network and the entire attack continuum – before, during, and after an attack – is needed.

A tightly integrated threat defence system stands apart because it facilitates sharing of ‘context’ and intelligence between security functions to improve visibility, remove false positives, and speeds up detection and remediation. For example, suspect malware observed on an endpoint is automatically correlated with network sensor data from traffic to known bad websites. This improves the confidence level so that security operations can block operation of the malware, quickly view where else that malware exists in the environment and block its execution with a single click. Furthermore, security analysts can scope the entire attack by viewing associated files downloaded by the malware, to enable complete removal.

Integrated threat defence reduces the time to detect breaches and provides tools to scope, contain and remediate the problem in minutes rather than weeks or months – before valuable data is stolen, and before a third party discovers and alerts you to the breach. This is all done while simplifying an organisation’s security architecture with fewer security devices to manage and deploy. By gaining full contextual awareness that is continuously updated, defenders can assess all threats, correlate intelligence, and optimise defences.

There are other aspects of joining forces, beyond integrating security functions. At the industry level, open frameworks are a valuable tool for defenders to close security gaps and share threat intelligence. New open standards and efforts to create, share, and implement custom application detection and custom IoCs empower defenders to further reduce the attack surface and better identify anomalous behaviour. The ability to share real-time threat intelligence and protection across a community of users is another prime example of working together for greater security effectiveness.

Attacks will continue to evolve as will our IT environments. Integrated threat defence is a dynamic foundation that allows professionals and experts in the field to share findings that can help protect across more threat vectors and thwart more attacks. After all, two minds are often better than one.

This article is brought to you by the content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attackscyber criminalsmalwareSIEMCSO Australiamobile devicesprivate data centressecurity defencesThreat DefenceendpointsIT environmentssecurity landscapevirtual machinesIndications of Compromise (IoCs)breaches

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Stitt

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place