When it comes to security, most organisations recognise that there are far too many events happening across their estate — security, endpoint, and network — for any individual, or team, to realistically (and consistently) identify potential issues.
Part of the problem is that different technologies aren't integrated properly. A firewall rule alert and an incident management system should work together, but many times they do not. This means that the security team must pay attention to these alerts, understand the context, and, if it's an issue, open a new system to create the ticket. As you can imagine, this can be both time consuming and difficult.
That’s why it’s so important that businesses put more emphasis on integrating their security tools — such as having network security linked to ticketing and event management.
On top of that, it’s equally important to look at automating your security capability. With automation, comparing alerts across an estate can be done algorithmically, so that anomalies are brought to the security team’s attention as quickly as possible. Likewise, in the middle of an attack, the response team needs tools that can automate defence, effectively stopping attacks and automating forensics.
Knowing the situation, however, isn't quite enough. The other problem security teams have is convincing the wider business to invest in technology that gets the job done.
To help with that, I’ve put together three angles that you can use to help push this conversation forward.
A lot of non-technology leaders (you know, those with the purse) love a good graph. Security teams tend to bring in companies to show off sexy charts, AI-enabled anomaly detection, and whiz-bang correlation engines that get senior leadership excited. I was in a customer meeting recently where a live visual analytics platform was essential to the SIEM capability because the SOC happened to sit next to the board, and the higher-ups really wanted to see whiz-bang when they walked to the office. Seriously, that was their reason for a visual analytics capability. It was a showpiece, like an expensive tie.
A more sensible approach is to focus on the fundamentals. When we think of Google, we think of their cool stuff — Project Zero, Loom, Maps, DeepMind — and we forget that practically all their revenue, all their power, comes from search. A spider that crawls the internet and a PageRank algorithm that shows useful content — the boring stuff — are the fundamentals that get everything else flowing.
You need to focus on your fundamentals — integrating the technology you invest in, choosing strategic vendors and spending a disproportionate amount of time getting the tech you do have integrated together — before you start introducing the 'game-changing' technology.
Automation can be scary for risk-averse senior leadership. If you can automatically stop an attack, what happens if you automatically stop a high-frequency trade, or your customers from visiting your e-commerce site on Black Friday? Automation, right now, is wrapped in risky language. I've found that talking about orchestration — which effectively results in the same outcome — creates a positive feeling as opposed to a psychological push back.
Having an orchestration engine to pre-populate change tickets, as opposed to having an automation engine to change firewall rules, completely changes the way we discuss this new, and essential, investment. When discussing the ability to script changes, try using the language of orchestration instead of automation.
This stuff is genuinely hard. Coupled with the fact that most of our customers are moving into third-party cloud, dealing with digital transformation whilst also trying to stay ahead of potential attackers, and running a business — it’s fair to say that it takes a lot of effort. You should employ help to navigate this transformation.
Those three suggestions are a great way to move forward into automation (or orchestration) — helping you to integrate your technologies and achieve the level of security you need.
For even more advice, you can use this tool, developed by IDC and sponsored by BT and McAfee, it will help you assess your security operations.