It’s hard to argue that today’s security tools and policies are exceedingly effective. While the industry has prevented a good number of cyberattacks, the fact remains that motivated attackers will continue to gain access to data and systems. Even the NSA, FBI and top security vendors are not immune from this reality. Perpetuating existing approaches to security will not change this equation. Something has to fundamentally change.
Security has mainly existed as an array of distinct tools and groups, each with its own specialty and purview. At the same time, tools that had been focused on a particular part of the attack surface have been subject to “platformization.” Turning a point product into something broader extends the value and functionality of a particular device while also being a great marketing strategy to defend well-fought territory and retain customers while fulfilling financial imperatives for revenue growth.
Too many security platforms serve as the centerpiece for not only other features and add-ons, but also an integration point for solutions from other vendors. The platform becomes its own security “sun” while other solutions revolve around it. Check Point Software successfully pioneered this approach with its OPSEC partners plugging into its FireWall-1 product. There’s a twofold downside to this kind of approach. First, platform usually implies an attempt to “own” the primary value. This creates compromises where not all solutions are supported, or they require some kind of regulated certification to work. Some best-of-breed solutions are left out. Second, often a platform that emanates from a particular tool suffers the hammer problem. To a hammer, everything looks like a nail, and items that don’t are often ignored or minimalized.
Platforms are good, in the sense that it’s something that brings together the data and findings of all security tools and sources of information. The idea of serving as a Swiss Army Knife that has everything on one handy device represents more failed and outmoded thinking. Let each tool do what it does best, and then take the findings and details, integrate and correlate all of these and then apply behavioral analytics to find true malicious or criminal behavior.
The tradition of separate tools and policies that remain separate has become ineffective to meet the true challenges and threats of security today. Each of these tools can contribute expertise in channeling information to a platform that’s not intended to take over all security functions, but rather to aggregate and correlate findings to reach higher levels of precision and jettison the problems of too many false positive or non-productive alerts.
Nearly every security professional knows that attacks may take place at any point along their organization’s constantly changing attack surface. Often multiple points are attacked. More importantly, the first act or acts of an attack lead to others. There’s a progression, as attackers begin to achieve greater visibility and understanding of resources and assets while they seek to improve their sphere of control to finally achieve their objective and get a pay-off.
Security teams need to understand, small, seemingly inconsequential data points in light of other data to find the forest for the trees. Some data elements will help dismiss what otherwise stands as a false or invaluable conclusion, leading to another non-productive alert for security teams to drown in. Others will establish progression and links between events or actions.
Aggregating and correlating all such sources is the idea behind Extended Detection and Response (XDR), which, more recently has become known as Everything Detection and Response. Confusion has sprung up from some quarters who may see XDR as yet another security platform that “wants to own it all” and fold multiple functions into a single solution. In fact, XDR has not been developed as a replacement for something or a way to augment functions into a single system. It could take the place of something, such as a SIEM, but it’s real value lies in being a kind of neutral centralization point for pooling data from everywhere to establish the fastest, easiest, clearest and most accurate picture of any attacks early enough to mitigate or prevent theft or damage.
The industry needs a new kind of thinking to make a significant enough difference in capability to defeat the latest era of threats and cybercrime. Rather than continuing to pursue security through separate systems, data, teams, procedures, policies and strategies, we must pull together to gain a comprehensive view of the attack surface and an intelligent understanding of attack progression. Aggregating all sources of data can become a game-changer for precision and expediency. Instead of many systems with far too many alerts, organizations could have a way of finding the most crucial evidence of an attack and address it immediately. It’s time to stand together to unify findings and equip ourselves for the new reality of security challenges.
Sam Jones, vice president of product management, Stellar Cyber