The Gift of Simple Security

The need for security is leading some companies to build security schemes based on dozens of different products. The need to manage all of those products is leading some security professionals to re-think long-held ideas on the best strategy for security.

For Alert Logic, founded in 2002, it's a case of somewhat reneging on a bet that Marc Willebeek-Lemair, now CSO, placed a while back on a best-of-breed security system strategy as best practice. In a world where in extreme cases some organizations report deploying as many as 50 separate security solutions, a lot of enterprises are scratching heads about how many they really need to completely secure their businesses. They're still considering the gamut, while Willebeek-Lemair is trying to offer fresh air through a move to cloud and dispensation of point solutions.

Reform is top of the list for Willebeek-Lemair, having been a pioneer and early advocate for best-of-breed security working at Tipping Point, where he was CTO and founder in the early Noughties, and also CTO of 3Com. According to him, "defense-in-depth" is no longer viable. Obviously, many systems are bought each year and integrated, but they are by description designed in a vacuum, leaving the enterprise to join the integration dots that support reporting and prioritization.

"You need look no further than the Target breach or almost any other breach-of-the-week to see this misalignment of risk and security focus exacerbated by the traditional piecemeal best-of-breed approach," he told SecurityNow. "We need experts in the defensive loop and there are not enough of them to go around."

His conceptual approach adapts to where the successful automation of existing systems can be more effectively handled by analyst teams. That belief is rooted in the fact that many enterprises are reaching a crunch. They have so many systems, feeding high-volume and disparate data to the analyst team, that this is in itself an issue; analysts are number crunchers rather than analyzers.

"Converting expert knowledge into automated detection requires control over the content within the various point products and the layer above them (usually a SIEM), where analytics that combine underlying point-product events best capture expert knowledge" said Willebeek-Lemair.

According to Cisco's 2017 Annual Cybersecurity Report, about 55% of companies use at least six security vendors and 65% deploy no less than six cyber defense products. Alert Logic says that there are scenarios were companies have, on average, 17 point-product security solutions in their organizations. There are statistics that exceptionally show large enterprises can have as many as 50 deployed.

Willebeek-Lemair's point is that engaging as many point systems as enterprises now feel necessary to deal with diverse threats has passed the point of being effective versus internal resources to run them effectively. Many systems but too few people. The resultant automation is a common theme with Willebeek-Lemair, and it may resonate well where many developers and their customers are beginning to feel comfortable. Ultimately, he recommends a cloud approach.

"The existing Do-It-Yourself (DIY) model where customers buy a plethora of best-of-breed point-products, plug them into a SIEM and hire a team of experts in the SOC simply isn't working. The gap between the theory and practice of this approach is too large," he said.

Conversely, using the cloud instead of traditional point products is an alternative approach that might enable security teams to get to the crux faster, especially as threats or vectors multiply. There's no dispute that a conclusion that large enterprises need 50+ systems to be secure is incorrect or at least unworkable. The better replacement for that conclusion is that expert knowledge must be applied to detection systems so that they can be successfully automated.

According to Willebeek-Lemair, CISOs are struggling to find a good path forward. A lot of them realize that frankly the current set-up is not working, but are hamstrung by the amount of time spent on today's integration processes from multiple systems. In his earlier example, Target had a lot of threat information coming in, in fact, but too much.

"Target had security solutions deployed, and they were receiving alerts. They just didn't know which ones to prioritize, and this is symptomatic of the challenges businesses currently face," said Willebeek-Lemair.

Currently the approach is for SIEM systems to collect data from multiple point systems for the SOC, and this seems to be the most common set-up. But it's getting more difficult and expensive, apparently, to use this foundation going forward. The old model existed while the volume and type of threats were relatively small, but expertise was numerically high. It worked well as a model to date, in most cases, but as the threat world gets busier, it is falling apart, and decrepitude ensues.

"Information, employees and risks are much more fluid, moving from one place to the other" said Willebeek-Lemair. Conversely, "As more and more companies go online and get exposed to the cyber threat environment, the model stayed the same. More and more experts were needed, and the attack surface grew in complexity. We just outgrew the old model and it doesn't scale to the higher demand of experts nor does it fit the available budgets."

The new one is a faster and simplified integration, which offers more information-sharing and visibility by removing silos. This information-sharing and visibility are also critical factors in machine learning's successful integration into the security infrastructure. The implication is that the cloud holds answers to both the quantitative and qualitative report-handling as well as the machine learning that increases threat analysis and remediation.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now