We must adapt the way we secure data to today’s needs. Working from home has increased, forcing entities and their employees to rely more on virtual private networks (VPNs), work with their security operations center (SOC) colleagues remotely and give more attention to data protection. The global pandemic has sped up emerging trends in IT and cybersecurity, such as digital adoption and noisy tools and agility within the SOC, to name just a few. To keep pace, entities can leverage a central security management platform approach to adapt and modernize their SOCs. 

Considerations for Security Management

Consider the ‘incident’ side of protecting data. The idea is clear: an improvement to any discrete aspect of incident response makes the process more efficient overall. For example, the faster the team spots a breach, the faster they can patch it.

However, threat detection is often noisy. Being able to streamline the events to a more accurate narrative and discover the root cause is crucial. Finding out where the threat actor has entered the network and where he or she has gone or is going becomes key for fixing the problem. 

After all, the art of remediation isn’t just to throw patches at the problem. It also involves finding which assets must be protected first and which paths to and from the network are the most exposed.

What Parts of the System Are Most at Risk?

Risk includes the following components:

  • Internet-facing devices are much more at risk than on-premises machines and assets. Having good insight into a web server is more important than protecting a print server.

  • Exposure matters. A file type that can be edited, destroyed or altered is more at risk than a file that can simply be observed by a threat actor (although, this is not a great outcome either).

  • If files leave the network, the security operations team must prevent the leakage. 

  • The platform should be able to determine if users have access to specific data. 

The concept of a network itself is changing. Perhaps a decade ago, security teams could stash critical assets behind an on-premises firewall, and the network architecture was flat. This is no longer the case. The network consists of private and public clouds (often more than one public cloud). Workloads exist in containers, mobile users and Internet of things (IoT) devices. Networks are becoming more complex, but the people protecting them still have the same goals. Thus, a modern approach can provide more streamlined management and workflows across a more complex landscape.

Security Management Takes A Strong Platform

A state-of-the-art cybersecurity platform must be cloud native but not confined to software as a service (SaaS). The platform should be flexible enough to deploy where the owner chooses. That might be on premises, in a public or private cloud or as a hybrid architecture. Cloud allows for cloud compute, multi-tenancy, remote storage, a central vantage point for search, better north-south ingress/egress and the possibility of using public cloud infrastructure as a service (IaaS) to connect multiple appliances. A flexible architecture also supports groups with hybrid environments, including multiple clouds and on-premises solutions.

New tools and the shift to remote work mean the field changes fast. IaaS insight is not so much a suggested good practice as it is a requisite cost of doing business. IDC’s December 2019 North America Cloud Security Survey asked respondents to identify the source of the most recent breach in their IaaS environments. The chart below illustrates their responses.

Causes of the Most Recent Breach in an IaaS Environment

Q: For your most recent breach of an IaaS environment, what was the predominant factor that resulted in the breach?

You can protect on-premises servers with a stateful firewall and air-gapping machines. Or, simply configuring servers and routers without internet access as on-premises security measures. Companies may not wish to relinquish on-premises security because different applications and computers were designed for legacy architectures and would be (or, are proving to be) difficult to replicate in the cloud.

Elements of a Good Security Management Platform

Next, the platform must be vendor agnostic. This seems like a tough pill to swallow for any product vendor. However, vendors must seek the best outcomes for their clients. End users cannot be cowed into vendor lock, and a key feature for any tool or platform is that the business is not required to ‘rip and replace’ existing tools. 

The platform should also include data loss statistics and file integrity management. To be fair, several tools defend data from improper access or obfuscation. However, being able to see whether data is leaving a network should be a line item. 

A good platform should manage and verify the quality of alerts within the platform even before the analyst considers looking into it. A smart platform should be the central nervous system of data coming to and from SIEM tools, endpoints, firewalls, threat intelligence tools and other software.

Managing False Alarms

However, tools aren’t all you need. The tools often flag changes that are based on normal network conditions (e.g., new configurations, operating system and software upgrades, etc.). A platform needs to weed out weak signals and correlate stronger alerts. 

Further, the platform will make sure to tie the process of incident response directly to workflow. For example, when an analyst researches a specific malware family, the dashboard should prompt what is known about the malware type. Furthermore, this action should not require more mouse clicks. Playbooks are very helpful to analysts, too, prompting what to do next and where to start fixing problems. After all, today, everything that makes the work a little more efficient counts.

Read our recent blog, Modernizing Your Security Operations Center for the Cloud, or view the on-demand webinar, How to Effectively Modernize your SOC, to learn more about effectively modernizing your SOC and hear from a panel of IBM Security experts.

For the full story on unified, cloud-native security management platforms and how IBM Cloud Pak for Security can help organizations achieve efficient and effective security, download the IDC paper, “Making Molehills from Mountains: Using a Platform Approach to Simplify Security Management and Operations,” sponsored by IBM.

More from Intelligence & Analytics

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Cyber Storm Predicted at the 2023 World Economic Forum

According to the Global Cybersecurity Outlook 2023, 93% of cybersecurity leaders and 86% of business leaders think a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Additionally, 43% of organizational leaders think it is likely that a cyberattack will affect their organization severely in the next two years. With cybersecurity concerns on everyone’s mind, the topic received top billing at the recent World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. At the meeting, Matthew…

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…