I recently had a conversation with one of my colleagues from a different division of IBM and he asked me why we talk about integration so much. It wasn’t that he discounted the value of integrating various IT controls, but rather that it typically isn’t a message you lead with when you talk to customers and the market more broadly about most IT topics. There are usually ‘cooler’ topics, or capabilities, or story-lines, even if integration is critical to the technology functioning in the real world.
The example I used with my colleague to explain why integration was so important was online commerce. The business outcomes organizations are in pursuit of are fairly defined ones in this area. They want their customers to have a painless, even enjoyable experience finding what it is they want and then get that item delivered to their door in a timely manner. If payment wasn’t tied to inventory and then to shipping, the whole thing would fall apart.
In security, the outcome organizations are looking for is also similarly present, to reduce risk, prevent incidents, and in the event they do happen, to react with speed. But unlike commerce, where understanding the mechanisms to achieve an end can be more clear, and you constantly refine and improve those mechanisms, in security, the requirements, and failures associated with lack of integration, are often less obvious. What is obvious is that sophisticated attackers are regularly circumventing existing controls.
The Challenge of Complexity
In any given security breach or incident, it’s relatively rare that you can point to a single point of failure. There are very few, “well if we just fix this, we won’t have this problem anymore.” The reason for that is that unlike commerce, where users go through the path you have put in front of them and you can identify the place where your technology or process failed, you don’t get to choose the path an attacker takes. They do everything you don’t want them to do. That is their job.
In the wake of an incident, you might go through and address all of the vulnerabilities and processes that allowed an incident to occur, but that doesn’t mean you are equipped to even stop the attacker who had just infiltrated your network. For the attacker, the path to an end is chosen because it is available. If that path wasn’t available, there is nothing to say that another one might not exist.
In any given attack, any number of controls or processes likely could have prevented, or at least detected the incident, but they go unseen because 100 different security controls from a nearly equal number of security vendors, controls that frequently do not communicate with one another, presents some inherent challenges. There is value in having separate, independent controls all capable of seeing an attack from the different angles in order to reduce the risk of isolated failures causing more extensive damage, but in many ways that approach has gone too far.
When you look at the industry today, there really is no shortage of incredibly innovative security companies and technology, yet for as many independent, technical victories the industry might win, it is difficult to argue that organizations around the world feel like they are winning right now. Security incidents will always be a reality and no one believes there will ever be a future in which they are eliminated, but the pace and impact of incidents has accelerated dramatically over the course of the last several years, and it has happened in the face of an industry that is innovating rapidly and security budgets that are growing.
Our belief is that organizations are nearly incapable of effectively managing the volume of technology required to build a resilient infrastructure today, and it is through little fault of their own. There are serious skills shortages in the security industry and much of this technology is very difficult to manage and develop expertise around. There are tools that can detect and block today’s threats, but the fundamental challenge many organizations are facing today is that they are often not in a position to realize the value of the technology they have deployed.
Security Intelligence Platform
While various defensive capabilities will always be required across your network, endpoints, databases, users and applications, broader questions like enterprise risk/vulnerability management and incident detection and response require a much more comprehensive view of your security posture than isolated capabilities often provide.
It is for this reason that IBM is investing and innovating rapidly in our Security Intelligence platform. What began years ago with Q1 Labs and log management has evolved over time to include risk management, security information and event management, network flow data, Big Data, vulnerability management and there is still a great deal more to come. These capabilities are delivered through a common user interface and architecture in the form of a modular, extensible platform. Our vision is to provide security analysts a single tool from which they can see a comprehensive view of their security posture in real-time, inclusive of enterprise vulnerabilities and available paths to those vulnerabilities, and then put that information in context of network traffic, security events and then use that combination of intelligence to identify, drill into, and ultimately respond to threats.
While these capabilities exist in the market today, what IBM is bringing to the table is the ability to bring these capabilities together in combination, where one technology augments the next and the ability to move between views and different sets of data is a seamless experience and where a security analyst without a Phd is in a position to take action on threats coming over the wire.
This is not a vision to bring 100 controls down to 1, but to take a large group of adjacent technology and controls, integrate them into a single platform, provide fast time-to-value, license key upgrades for new modules and deliver this in a way where already short staffed organizations can more effectively prioritize, manage and respond to the billions of security events they see every day.
Our message around integration is not a flash in the pan, but a long-term vision around creating a more sustainable approach to addressing the increasing volume and sophistication of security threats.