We must adapt the way we secure data to today’s needs. Working from home has increased, forcing entities and their employees to rely more on virtual private networks (VPNs), work with their security operations center (SOC) colleagues remotely and give more attention to data protection. The global pandemic has sped up emerging trends in IT and cybersecurity, such as digital adoption and noisy tools and agility within the SOC, to name just a few. To keep pace, entities can leverage a central security management platform approach to adapt and modernize their SOCs.
Considerations for Security Management
Consider the ‘incident’ side of protecting data. The idea is clear: an improvement to any discrete aspect of incident response makes the process more efficient overall. For example, the faster the team spots a breach, the faster they can patch it.
However, threat detection is often noisy. Being able to streamline the events to a more accurate narrative and discover the root cause is crucial. Finding out where the threat actor has entered the network and where he or she has gone or is going becomes key for fixing the problem.
After all, the art of remediation isn’t just to throw patches at the problem. It also involves finding which assets must be protected first and which paths to and from the network are the most exposed.
What Parts of the System Are Most at Risk?
Risk includes the following components:
Internet-facing devices are much more at risk than on-premises machines and assets. Having good insight into a web server is more important than protecting a print server.
Exposure matters. A file type that can be edited, destroyed or altered is more at risk than a file that can simply be observed by a threat actor (although, this is not a great outcome either).
If files leave the network, the security operations team must prevent the leakage.
The platform should be able to determine if users have access to specific data.
The concept of a network itself is changing. Perhaps a decade ago, security teams could stash critical assets behind an on-premises firewall, and the network architecture was flat. This is no longer the case. The network consists of private and public clouds (often more than one public cloud). Workloads exist in containers, mobile users and Internet of things (IoT) devices. Networks are becoming more complex, but the people protecting them still have the same goals. Thus, a modern approach can provide more streamlined management and workflows across a more complex landscape.
Security Management Takes A Strong Platform
A state-of-the-art cybersecurity platform must be cloud native but not confined to software as a service (SaaS). The platform should be flexible enough to deploy where the owner chooses. That might be on premises, in a public or private cloud or as a hybrid architecture. Cloud allows for cloud compute, multi-tenancy, remote storage, a central vantage point for search, better north-south ingress/egress and the possibility of using public cloud infrastructure as a service (IaaS) to connect multiple appliances. A flexible architecture also supports groups with hybrid environments, including multiple clouds and on-premises solutions.
New tools and the shift to remote work mean the field changes fast. IaaS insight is not so much a suggested good practice as it is a requisite cost of doing business. IDC’s December 2019 North America Cloud Security Survey asked respondents to identify the source of the most recent breach in their IaaS environments. The chart below illustrates their responses.
Causes of the Most Recent Breach in an IaaS Environment
Q: For your most recent breach of an IaaS environment, what was the predominant factor that resulted in the breach?
You can protect on-premises servers with a stateful firewall and air-gapping machines. Or, simply configuring servers and routers without internet access as on-premises security measures. Companies may not wish to relinquish on-premises security because different applications and computers were designed for legacy architectures and would be (or, are proving to be) difficult to replicate in the cloud.
Elements of a Good Security Management Platform
Next, the platform must be vendor agnostic. This seems like a tough pill to swallow for any product vendor. However, vendors must seek the best outcomes for their clients. End users cannot be cowed into vendor lock, and a key feature for any tool or platform is that the business is not required to ‘rip and replace’ existing tools.
The platform should also include data loss statistics and file integrity management. To be fair, several tools defend data from improper access or obfuscation. However, being able to see whether data is leaving a network should be a line item.
A good platform should manage and verify the quality of alerts within the platform even before the analyst considers looking into it. A smart platform should be the central nervous system of data coming to and from SIEM tools, endpoints, firewalls, threat intelligence tools and other software.
Managing False Alarms
However, tools aren’t all you need. The tools often flag changes that are based on normal network conditions (e.g., new configurations, operating system and software upgrades, etc.). A platform needs to weed out weak signals and correlate stronger alerts.
Further, the platform will make sure to tie the process of incident response directly to workflow. For example, when an analyst researches a specific malware family, the dashboard should prompt what is known about the malware type. Furthermore, this action should not require more mouse clicks. Playbooks are very helpful to analysts, too, prompting what to do next and where to start fixing problems. After all, today, everything that makes the work a little more efficient counts.
Read our recent blog, Modernizing Your Security Operations Center for the Cloud, or view the on-demand webinar, How to Effectively Modernize your SOC, to learn more about effectively modernizing your SOC and hear from a panel of IBM Security experts.
For the full story on unified, cloud-native security management platforms and how IBM Cloud Pak for Security can help organizations achieve efficient and effective security, download the IDC paper, “Making Molehills from Mountains: Using a Platform Approach to Simplify Security Management and Operations,” sponsored by IBM.