Information security continues to be a challenging and fascinating field for us all, and after experiencing 15 years of security trends, evolving threats and enough technology buzzwords to fill several bingo cards, there are a few constants. The discussion around the latest attack vectors and corresponding countermeasures is ongoing, with the hype peaking at industry events such as the annual RSA Security Conference and InfoSec Europe. Proactively securing configurations of applications, hosts and network infrastructure never goes out of style. And lastly, a Defense in Depth strategy has always remained in fashion and a constant within security-savvy organizations. Like the body’s immune system, this strategy is focused on multiple layers of defense to protect against any new threat. It includes defenses and controls covering both networks and hosts and encompasses all phases of threat protection from prevention, to detection, to response.
But there is an evolution to the traditional Defense in Depth strategy that I call “Cooperative Defense in Depth.” This approach doesn’t settle for a group of excellent point products but demands strong, effective, open integrations both within a vendor’s portfolio and between solutions from other vendors. As hacking groups such as LulzSec, Anonymous and other cyber-crime organizations have embraced cooperation between their members and tools, surely we should as well in our pursuit of defense. A Cooperative Defense in Depth strategy should include both prevention and detection technologies that support open security integrations, which can result in enhanced capabilities over what each technology would provide on its own. This strategy can also optimize expenditures while maintaining a high performance standard for an organization’s overall security posture.
Security Integration Through Cooperation
IBM’s new Threat Protection System is a good example of this strategy. It provides advanced threat protection on endpoints and networks with a coordinated security intelligence layer. But we also recognize that customers have solutions from many vendors, and to be effective we take an open systems approach. The Threat Protection System adds a new open framework for integrations with other advanced threat detection products, is being supported by Trend Micro, FireEye, Damballa and Lastline products, and is open to others. This cooperative approach allows customers to leverage these malware detection products which then integrate with IBM inline network protection to provide automated or analyst-directed quarantine of infected hosts or blocking of new command-and-control networks. Indeed, integration enables protection.
Since its launch in late 2012, the Ready for IBM Security Intelligence (RfISI) alliance has gained over 100 members, with integrations across IBM Security’s product line and more coming online every month. In addition to the advanced malware partners mentioned above, the RfISI alliance supports integrations with our QRadar Security Intelligence platform, Identity and Access solutions, AppScan, Guardium, and Endpoint Manager products. IBM has a strong heritage of open, accessible APIs and collaborative ecosystems such as PartnerWorld and developerWorks, and our RfISI alliance builds on top of both with a focus on security. I think it is worth pointing out that we put our money where our mouth is on Collaborative Defense in Depth by embracing “coopetition” and integrating with partners who also directly compete with IBM Security; openness must be embraced.
One area of significant evolution in Defense in Depth is that of security information and event management (SIEM) products into fully integrated Security Intelligence platforms such as QRadar. A decade ago, aggregating logs and events with flexible correlation technologies and dashboards may have been considered state-of-the-art. Today’s state-of-the-art solutions have really raised the stakes, and include native integration of a broad spectrum of additional data types, including native netflow, vulnerability assessment, network device configuration, asset, identity, threat intelligence, full packet data and more, along with advanced out-of-the-box analytics to take advantage of it all. Our dedicated QRadar SIEM integration team works closely with our alliance partners to ensure the value of their products and services are effectively leveraged by our Security Intelligence platform. Collaboration with our technology partners is indispensable to providing effective implementation.
Another example of Cooperative Defense in Depth with the Threat Protection System is in the area of network forensics. There have been stand-alone packet capture systems in use as supplemental investigation tools for analysts for over a decade. The new QRadar Incident Forensics has best-of-breed capabilities, but it stands out further with its cooperative integration with QRadar SIEM. This provides QRadar users viewing correlated SIEM events of interest to invoke incident forensics in context with a single click, reconstructing all Web pages, files and other content from that system over the incident time window, ready for viewing and investigation. It can significantly accelerate the time from detection to response.
People should expect more from their security technology investments than just individual excellence to achieve Cooperative Defense in Depth. Security is a team sport, and open interoperability is required to provide the most effective security to keep pace in today’s challenging threat environment.