[BreachExchange] What We've Got Here is Failure to Communicate!

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jun 13 10:01:19 EDT 2018


https://www.securityweek.com/what-weve-got-here-failure-communicate

Many enterprises have been taking stock of their security architecture as
well as assessing gaps and redundancies (see last month’s article Wading
Through Tool Overload and Redundancy?).  Sometimes it is the result of a
post breach investigation, and the post investigation finger pointing.
Sometimes it is due to new management taking stock of the company’s risk
exposure. Sometimes it is a financially driven exercise to better
understand budgets and bang for the buck. Regardless of the motivation,
what many are finding is that they don’t really have an architecture so
much as a bunch of disparate parts sitting in silos across the
environment.  Looking back at it all, CISOs may wonder how they got there,
but hindsight is always 20/20.

The parts in question were likely procured with the best of intentions, to
serve a purpose at some point in time, from the prevalent vendor in that
space.  It is a good practice to take a step back every now and then and
refactor your environment, making sure the various technologies and
processes are up to the current day’s challenges and those of the
foreseeable future.

The typically fragmented “best of breed” security architecture of many
large enterprises results in protective gaps, vendor management challenges
and finger pointing.  The gaps are not necessarily the result of going with
the wrong tool or vendor in a space.  The best point solutions will be hard
pressed to protect the business in today’s complex, multi-channel mobile
and cloud driven environment.  It means coordinating policies, alerts and
analysis across multiple tools that often sit in siloes and don’t talk to
each other.  Securely supporting today’s business demand for the ability to
access and share data and applications across organizational and geographic
boundaries, requires a coordinated and synchronized approach.  Siloes will
not suffice.

In a typical enterprise, you will find tools like data loss prevention
(DLP), cloud access security brokers (CASB), data encryption, data tagging,
web proxy, firewalls, endpoint protection, endpoint detection and response,
and on and on… The challenge of defining, managing and using policies
across all those tools, and responding to it all, has typically resulted in
minimal policy sets, missed alarms and lost data and systems. The industry
initially tried to create this glue via SIEM tools, followed by
orchestration tools. However, while these tools serve important functions,
they have not filled the need to bring the various point solutions together
into a comprehensive platform. Using SIEM and orchestration tools as the
glue that binds often just adds more complexity into the environment.

What has been recognized by many is the need to shift from a
function/product perspective to that of a platform.  That may sound like
vendor speak, but regardless of what you call it, purchasing a set of tools
that “play together nicely in the sandbox” has many benefits that can trump
any specific bell or whistle that an isolated best of breed tool can
provide.  The goal is functional integration of the tools in the
environment for blocking and alerting, combined with cyber risk analytics
connecting the dots across user behavior, indicators of attack/compromise
and threat intelligence, that can take action via an orchestration tool.
For example, integrating policies and alerts across DLP and CASB increases
the chances that you will stop data from leaving the organization across
internal and cloud data communication applications.  Reducing complexity
also increases the chances of these tools actually being deployed
effectively vs partial rollouts and minimal policies in each tool.

Using analytics to identify the malicious insider that is trying to
exfiltrate data across those channels, or perhaps a coordinated
communication with a known dangerous destination indicating a compromised
account, helps ensure you are using the information at your disposal to
minimize your cyber risk.  For example, connecting the dots between proxy
data indicating potential phishing activities, blocked DLP events to known
malicious destinations, and indicators of attack from endpoint events
closes the gaps between those tools and helps organizations stop attacks
before they cause damage.

Whether you build your platform by single sourcing from one vendor or by
interconnecting multiple vendor platforms, it will not happen overnight. It
is a foundational strategy that should be achieved as quickly as possible.
Utilizing a central analytics platform as the glue to manage across vendor
tools and/or through the transition between vendor tools will allow you to
retain visibility and protective coverage, while plugging and unplugging
the pieces of your platform.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180613/75d15fd8/attachment.html>


More information about the BreachExchange mailing list