In my last post, I talked about the frustration that enterprises have with the lack of integration among security tactics – an egregious gap attributable in no small way to the extremely fragmented nature of the IT security industry itself. I offered a few examples of approaches that seek to close these gaps and equip more systematic strategies.
Among those strategies, the integration of intelligence into the tactics of defense ranks high. It is a primary factor in so-called “advanced threat defense” that combines inline detection in multiple channels (network, web, email, file systems, etc.) with intelligence gathered both locally – through heuristic techniques that may include direct observation through sandboxing – as well as across networks. The combination sharpens visibility into the nature of more complex threats such as attack networks, and can arm its users with more effective tactics for attack disruption.
In that last bit, however, is hidden an aspect of security intelligence that often goes unrecognized, or at least, not always fully appreciated for its potential impact on security architectures. It is simply this: in order for intelligence to factor into effective response, proactive defense or environment hardening, security intelligence systems must be able to send data out as well as take it in.
Simple enough, right? Okay, then, tell me: Of all of you who have deployed SIEM, log management, or operational IT monitoring for security in your environment, how many of you have these systems actively feeding actionable data to your defenses? “Actionable” in this sense isn’t just the hackneyed cliché that we tend to overuse in this business (well, it is anyway, but give me just this one). What I mean is, how many of your security data management platforms deliver this trifecta to your defense tactics?
- The nature of a specific issue, such as an attack technique or vulnerability – known and published or otherwise – detected, say, in exploitive behavior
- Consumable in such a way as to enable defenses to act directly on the information
- AND, the tactic is indeed capable of remediating the issue accordingly, through reconfiguration, blocking, isolation/segmentation, and so on (Extra credit if this is fully automated end-to-end. Okay, so that’s also overused marketing-speak. But heck, if you already have something like this working in actual production…well, you walk away with all the cheese regardless.)
Sure, there are lots of reasons beyond the limitations of monitoring technology why we wouldn’t want to do this. Automating blocking at scale would do a little more than step on the toes of IT operations and irk our insect overlords, if what we effectively build is the Mother of All Denial of Service Vehicles that raises existing problems with false positives to an entirely new level.
Still, we can’t overlook the limitations of security intelligence and monitoring tools that are predicated on taking data in. Many (if not most) are not well equipped to serve that data – or more precisely, the actionable fruits of analysis – back out into proactive defense technologies. Not terribly surprising, really, considering that they have largely arisen to inform security analysts.
And yet the market, in its omniscience, tells us we are already far along in voting with our feet for connecting this intelligence more directly to the technologies of defense. “Why would we want, say, SIEM to do this when <your favorite technology here> already provides intelligence-driven defense as part of a comprehensive product?” The fact that <your favorite technology> is succeeding at this – and some, particularly in “advanced threat defense” are among today’s most successful security plays – should tell us something: We’re not using our security intelligence assets to the fullest. If we have a security intelligence platform of some sort, we are already taking in a wealth of information that could be put to good use in sharpening defense. Busting down the silos that keep these platforms from informing even more responsive action across a variety of defense tactics, however, may be no small undertaking.
Regardless, product vendors and service providers alike who have invested significantly in security intelligence are not blind to the success that segments such as advanced threat defense are enjoying, in no small measure due to their ability to link intelligence with action. Indeed, if anything, the need for this is only going to accelerate, as the growing capabilities of ubiquitous mobile devices expand the need for intelligent defenses that can “understand” a variety of new exposures and threat scenarios. If they don’t move in these directions, vendors who have predicated their strategies on intelligence are at risk of ceding the lead to the markets where these techniques are succeeding.
Two years ago, I speculated that the rise of data-driven security tactics would be one of the transformative factors shaping security in the future. We have already seen major companies recognize this in acquiring data-driven defenses, from inline fraud and threat mitigation to systems management platforms with a high degree of flexibility in the nature of data they can consume (even if they may not yet be utilizing this flexibility to the fullest).
I expect to see this go even broader, particularly in increasing the output from security intelligence systems into a range of defenses that can consume this intelligence directly, from proactive environment hardening to more automated approaches to threat mitigation and incident response. Expect to see further vendor announcements along these lines this year.