In the first article of this series, we looked at how corporate-level cybersecurity was burdened by overwhelming inputs. In the second article, we explored a connected security strategy, learning how a unified, open approach to cybersecurity management could clear the fog of war.
Now, it's time to put those learnings to work and define the key features needed for an integrated security platform that can help streamline operations while catching incursions more effectively.
Our goals are ambitious:
- A comprehensive view of the entire defensive posture with the ability to drill down to any event
- Visibility across security tools, generating insights from an holistic view
- Automation to reduce IT workloads and thwart easier-to-defend attacks
- Freedom to optimize human resources and devote them to the most important tasks
To achieve these goals, we've identified seven key features to look for in an open security solution.
1. Ability to scan across cloud instances and combine data in a single console
Your organization is using multiple cloud resources across many different vendor environments, with employees often jumping from cloud to cloud hundreds of times a day.
With so much invested in these SaaS (software-as-a-service) and IaaS (infrastructure-as-a-service) offerings, the need to protect cloud data and operations is paramount. As you look at integrated security solutions, be sure to look for one that has modules or plugins for the popular cloud services.
Having to check services like IBM Cloud, AWS, Azure, and Google Cloud individually wastes time and resources, plus it creates more siloes. But if anomaly data could be brought in from each of these (and the boatload of additional services most companies use), aggregated, and presented in a single environment, security professionals could identify high-priority issues quickly and keep ahead of incidents.
2. Open architecture and APIs to ensure that all current and future point security solutions may be incorporated
You need to aggregate data from all your security tools in order to harness the power of your integrated dashboard. Open architecture ensures that any new tools you adopt will 'play nicely' in that environment. Communication will be occurring across the various security points, which requires well-defined and versatile APIs, reliable data interchanges, and data formats that are unencumbered by proprietary protocols.
3. Use of data at the source without any need for moving data
We often measure big data by the volume, velocity, and variety of the flow. If you're protecting a geographically dispersed corporate network, data is likely flowing at flood-level volume and at raging-river velocity. If you have to first move all that data to some central analytics silo before you can begin to dissect it, you're adding an enormous load to your network and a substantial delay between event and remediation.
But if you analyze the data at the source, without moving it, you can tap into the data flow and take its temperature as it passes. Any indicators you discover can create events, which – if further analysis is required – divert small subsets of that data flow for further consideration. It's a much more efficient and faster way to sift through vast data flows, while keeping the raw data in place. This would also save you the cost of moving data across various tools.
4. AI to automate analytics and provide greater insight for the SecOps teams
AI and machine learning act as force multipliers for security teams that want to increase insights, improve time-to-discovery, and shrink time of exposure. The vast majority of attacks are not novel; they are similar, if not identical, to previous attack patterns. AI can sift through the flood of attack indicators and catch attack patterns it has seen before. AI can also catch attacks that are similar but not identical. If a malware strain has mutated, machine learning can likely catch it regardless.
All that sifting, catching, and processing, when done by an AI engine, is work that doesn't have to be dealt with manually by SecOps teams. They're freed up to focus on the new and challenging incursions that are emerging in real time.
5. Ability to protect users, data, and assets
When evaluating an integrated security environment, this needs to be your top concern. It's not just how many signals are processed and how many database tables are created. It's not even about how cool the machine learning algorithms are. It's about how proven the security environment is at real-world protection.
When you're investigating a solution, look for both protection and fortification. Your security environment should be able to locate Indicators of Compromise (IoC) and help your team resolve them. It should also be able to escalate any Indicator of Compromise, automatically create a case, and assist your team in closing any holes in your environment.
6. Support for process automation
In some ways, AI can be considered automation. But old-school, scripted process automation still has a very important role here, because it will help you define workflows and execute them automatically based on various trigger events.
When AI surfaces events, they may be processed by workflow automation. By combining these technologies, it's possible to streamline the analysis process, surface insights earlier, and push out fixes, often before an incursion has a chance to establish a long-term foothold.
Even incursions not blocked can be used as trigger events to initiate a workflow that escalates to a human professional, who can examine the events and take action. All this works together to help improve the safety and security of your extended network.
7. Scalability for the future
The cybersecurity landscape is shifting constantly. Your integrated security platform must be able to scale as threats grow, not only in increased incident flow, but also with a broader variety of incidents, including modalities we're not even considering today.
Open standards, as we discussed, will help with future-proofing your solution, so more vendors and tools can be integrated into your arsenal. Ask your vendor to describe what they're doing to encourage a vendor ecosystem.
Each of these factors will prove critically important as we move into an ever more uncertain future.
IBM as your security platform provider
IBM Cloud Pak for Security offers the key features and capabilities we've described. It provides a central, integrated, open approach to managing security with a single pane of glass that allows you to drill into the point solutions, use data gathered from them, and aggregate data into new tasks and automations.
IBM describes it this way:
IBM Cloud Pak for Security is an open security platform that connects to your existing data sources to generate deeper insights and enables you to act faster with automation. Whether your data resides on IBM or third-party tools, on-premises or multiple cloud environments, the platform helps you to find and respond to threats and risks — all while leaving your data where it is.
If yours is like most organizations, you're saddled with too much data to organize and sift through, you're missing incoming threats, and you may be taking too long to respond to high-risk events. Your security teams are overwhelmed with events and notifications, and you have data scattered in a wide range of silos. If any or all of these rings true, then IBM Cloud Pak for Security can help.
Please visit www.ibm.com/products/cloud-pak-for-security to learn more.