Today’s security landscape is constantly changing. Attackers are becoming more sophisticated and nimble, leading to new threats and attacks evolving every day. Tailor-made, stealthy threats now routinely evade traditional, point-in-time security defences by using multiple attack vectors. Further, advanced attacks use whatever unprotected paths exist - often blending paths - to compromise targets. Cyber criminals continue to go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible Indications of Compromise (IoCs). At the same time, the attack surface is increasing because modern networks are evolving, extending beyond traditional walls to include public and private data centres, endpoints, virtual machines, mobile devices, and the cloud.
In today’s dynamic IT and threat environment, point-in-time solutions lack the visibility and control defenders need to implement an effective security policy that addresses advanced threats. In addition, disjointed approaches only add to capital and operating costs, not to mention administrative complexity.
Converged solutions that combine two or more security functions together on a single platform attempt to address these shortcomings. However, simply consolidating security functions on one appliance is far from adequate. The level of integration, if any, is typically limited to device management and post-event analysis – where data is combined into a single repository (often in a SIEM) for later manual analysis. This visibility and analysis are not automatically correlated in real time and made actionable to quickly contain and stop damage, or shared throughout to prevent future attacks. Further, the data gathered is evaluated only once – showing a snapshot in time – missing the opportunity to ‘tune’ defences based on new telemetry and intelligence as it becomes available.
It should come as no surprise then that for the last few years’ research reveals most breaches are found by law enforcement and other third parties – not by the breached organisations themselves. To make security investments more effective, a comprehensive approach with tightly integrated threat defence across the extended network and the entire attack continuum – before, during, and after an attack – is needed.
A tightly integrated threat defence system stands apart because it facilitates sharing of ‘context’ and intelligence between security functions to improve visibility, remove false positives, and speeds up detection and remediation. For example, suspect malware observed on an endpoint is automatically correlated with network sensor data from traffic to known bad websites. This improves the confidence level so that security operations can block operation of the malware, quickly view where else that malware exists in the environment and block its execution with a single click. Furthermore, security analysts can scope the entire attack by viewing associated files downloaded by the malware, to enable complete removal.
Integrated threat defence reduces the time to detect breaches and provides tools to scope, contain and remediate the problem in minutes rather than weeks or months – before valuable data is stolen, and before a third party discovers and alerts you to the breach. This is all done while simplifying an organisation’s security architecture with fewer security devices to manage and deploy. By gaining full contextual awareness that is continuously updated, defenders can assess all threats, correlate intelligence, and optimise defences.
There are other aspects of joining forces, beyond integrating security functions. At the industry level, open frameworks are a valuable tool for defenders to close security gaps and share threat intelligence. New open standards and efforts to create, share, and implement custom application detection and custom IoCs empower defenders to further reduce the attack surface and better identify anomalous behaviour. The ability to share real-time threat intelligence and protection across a community of users is another prime example of working together for greater security effectiveness.
Attacks will continue to evolve as will our IT environments. Integrated threat defence is a dynamic foundation that allows professionals and experts in the field to share findings that can help protect across more threat vectors and thwart more attacks. After all, two minds are often better than one.
This article is brought to you by the content directors for CSO Australia.