June 25, 2014 By Richard Telljohann 3 min read

Information security continues to be a challenging and fascinating field for us all, and after experiencing 15 years of security trends, evolving threats and enough technology buzzwords to fill several bingo cards, there are a few constants. The discussion around the latest attack vectors and corresponding countermeasures is ongoing, with the hype peaking at industry events such as the annual RSA Security Conference and InfoSec Europe. Proactively securing configurations of applications, hosts and network infrastructure never goes out of style. And lastly, a Defense in Depth strategy has always remained in fashion and a constant within security-savvy organizations. Like the body’s immune system, this strategy is focused on multiple layers of defense to protect against any new threat. It includes defenses and controls covering both networks and hosts and encompasses all phases of threat protection from prevention, to detection, to response.

But there is an evolution to the traditional Defense in Depth strategy that I call “Cooperative Defense in Depth.” This approach doesn’t settle for a group of excellent point products but demands strong, effective, open integrations both within a vendor’s portfolio and between solutions from other vendors. As hacking groups such as LulzSec, Anonymous and other cyber-crime organizations have embraced cooperation between their members and tools, surely we should as well in our pursuit of defense. A Cooperative Defense in Depth strategy should include both prevention and detection technologies that support open security integrations, which can result in enhanced capabilities over what each technology would provide on its own. This strategy can also optimize expenditures while maintaining a high performance standard for an organization’s overall security posture.

Security Integration Through Cooperation

IBM’s new Threat Protection System is a good example of this strategy. It provides advanced threat protection on endpoints and networks with a coordinated security intelligence layer. But we also recognize that customers have solutions from many vendors, and to be effective we take an open systems approach. The Threat Protection System adds a new open framework for integrations with other advanced threat detection products, is being supported by Trend Micro, FireEye, Damballa and Lastline products, and is open to others. This cooperative approach allows customers to leverage these malware detection products which then integrate with IBM inline network protection to provide automated or analyst-directed quarantine of infected hosts or blocking of new command-and-control networks. Indeed, integration enables protection.

Since its launch in late 2012, the Ready for IBM Security Intelligence (RfISI) alliance has gained over 100 members, with integrations across IBM Security’s product line and more coming online every month. In addition to the advanced malware partners mentioned above, the RfISI alliance supports integrations with our QRadar Security Intelligence platform, Identity and Access solutions, AppScan, Guardium, and Endpoint Manager products. IBM has a strong heritage of open, accessible APIs and collaborative ecosystems such as PartnerWorld and developerWorks, and our RfISI alliance builds on top of both with a focus on security. I think it is worth pointing out that we put our money where our mouth is on Collaborative Defense in Depth by embracing “coopetition” and integrating with partners who also directly compete with IBM Security; openness must be embraced.

One area of significant evolution in Defense in Depth is that of security information and event management (SIEM) products into fully integrated Security Intelligence platforms such as QRadar. A decade ago, aggregating logs and events with flexible correlation technologies and dashboards may have been considered state-of-the-art. Today’s state-of-the-art solutions have really raised the stakes, and include native integration of a broad spectrum of additional data types, including native netflow, vulnerability assessment, network device configuration, asset, identity, threat intelligence, full packet data and more, along with advanced out-of-the-box analytics to take advantage of it all. Our dedicated QRadar SIEM integration team works closely with our alliance partners to ensure the value of their products and services are effectively leveraged by our Security Intelligence platform. Collaboration with our technology partners is indispensable to providing effective implementation.

Another example of Cooperative Defense in Depth with the Threat Protection System is in the area of network forensics. There have been stand-alone packet capture systems in use as supplemental investigation tools for analysts for over a decade. The new QRadar Incident Forensics has best-of-breed capabilities, but it stands out further with its cooperative integration with QRadar SIEM. This provides QRadar users viewing correlated SIEM events of interest to invoke incident forensics in context with a single click, reconstructing all Web pages, files and other content from that system over the incident time window, ready for viewing and investigation. It can significantly accelerate the time from detection to response.

People should expect more from their security technology investments than just individual excellence to achieve Cooperative Defense in Depth. Security is a team sport, and open interoperability is required to provide the most effective security to keep pace in today’s challenging threat environment.

More from Mainframe

How Dangerous Is the Cyberattack Risk to Transportation?

4 min read - If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

Low-Code Is Easy, But Is It Secure?

4 min read - Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

A Journey in Organizational Resilience: Supply Chain and Third Parties

4 min read - The next stop on our journey focuses on those that you rely on: supply chains and third parties.  Working with external partners can be difficult. But, there is a silver lining. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience. You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. In turn, there was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today