The second blog post of our series dealt with the shifts in mindset that are necessary for the adoption of an adaptive approach to security, as Gartner puts forth in the report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks. In the third and final post of this series, we’ll talk about transformations that are required in your security operations center (SOC) in order to support this shift.
Continuous Detection And Response
I’m a bit of a car guy, and I enjoy driving as much as getting to the destination, particularly when it comes to the ski resorts in the Lake Tahoe area of California. When I’m behind the wheel there, I’m continually on high alert, scanning the road for potential issues — especially in the winter. It could be something as simple as merging traffic or something hidden, like black ice, or something completely unexpected like a bear lumbering across the road. Similar to a driver on a long journey, an intelligence-driven SOC needs to move away from the traditional incident response model to what Gartner calls “continuous, pervasive monitoring and visibility that are constantly analyzed for indications of compromise.” And this ongoing cycle of monitoring and analytics must be implemented across all technology layers—the network, endpoints, the application front-end and backend, information/data, and yes, even users.
How can you enable continuous detection and response? The key elements include ingesting both internal and external threat intelligence and deriving contextual information from the data that’s relevant for your business. Next, you must correlate that information so that your solution sets can share the data and act in concert in order to respond more quickly and effectively. By incorporating technologies that unify and facilitate the protection, detection, and correction processes of the threat defense life cycle across your security infrastructure, a best-of-breed approach can be made to work.
Getting back behind the wheel for a moment, did you ever consider that manufacturers put brakes on a car so that you can go faster? Because of the improvements in safety features in cars, speed limits have actually increased over the years on some roads. Airbags, blind spot and lane detection, and other collision mitigation technologies all work together as a single, coordinated system so that we can drive safely at higher speeds and under challenging conditions. In the same way, pervasive visibility, where all your security components are collaborating, allows a business to operate at a faster pace. Now you can catch things that are coming at you more quickly and efficiently.
In a traditional multivendor, siloed SOC, individual security technologies are controlled by unintegrated, incompatible management consoles that can’t communicate with one another and don’t easily share intelligence. At the heart and center of an adaptive SOC is the ability to see everything — across systems, users, and networks that work together. Once you have end-to-end visibility, you can start mining all that rich internal threat intelligence for indicators of attack or indicators of compromise. If you want to take it up a notch, add external threat intelligence from third-party feeds or other trusted organizations. This type of data can provide you with valuable insights about threat characteristics and behaviors that enable you to look for similar patterns in your own environment.
Churning Through Massive Amounts Of Threat Data With Analytics
A consequence of pervasive visibility and threat intelligence is copious amounts of data. It’s much like driving through a blizzard in the mountains. You take in a great deal of data as you navigate this hazardous situation — snow, ice, wind, skidding cars, and pile-ups. Ultimately, you have to ingest this information, analyze it, and determine what matters most. This is where automation comes in — things like the information from apps such as Waze that alert you to traffic conditions ahead, built-in infrared night vision that helps you see farther, and adaptive braking systems that stop the car in an emergency.
In security, a similar issue arises. How do you corral and make use of this resource? The more data you have coming at you, the more you have to rely on machine automation to help you move swiftly and accurately when security incidents come up. Strong analytics technology, for example, helps identify characteristics associated with suspicious incidents and make correlations. You’ll need to establish baselines so that you know how to separate what may look normal for a particular user at a particular time of day in a particular area of the world and what deviates from that pattern. Analytics can help determine whether anomalous activity is real or not. It looks at contextual data and reduces noise and false positives so that you can apply your resources to events that appear to be real and then achieve the greatest impact.
Automation Of Routine Processes
One of the hallmarks of an intelligence-driven SOC is thoughtfully implemented automation, similar to the automation in today’s automobiles. As I’ve mentioned in a previous blog post, there’s a growing scarcity of qualified security professionals. We need to automate routine processes so that these talented individuals can be freed up to do the critical work of analysis. But we need to proceed with caution. For example, it would be counterproductive for automated response systems to completely shut down a CEO’s computer because they see a suspicious file.
So, rather than get too attached to the concept of “automation,” I prefer to think in terms of “automatability,” which both makes use of machine automation and introduces human analysis into the process before you take drastic measures, like shutting down an executive’s computer. Above all, you want to make certain that you create a process and workflow that suits your operation and that you can trust and continually improve.
Analyzing Patterns And Root Causes
With automation for mundane tasks in place, your security professionals’ time is best spent on proactively hunting and mining threat data, and then digging deeper to unravel patterns and root causes. When an attack occurs, they need to look at how bad actors infiltrated the infrastructure, identify patient zero, determine which systems or networks were affected, and find out what type of data was exfiltrated. Whenever malware shows up, your analysts need to investigate the trajectory of the threat and learn as much as possible about how it got in. By gathering this type of data, your organization will get better at spotting and responding to threats with similar characteristics and behaviors that may emerge in the future.
You’re On Your Way
We hope that you have derived some benefit from our blog series and that it will help you formulate a workable and successful adaptive security strategy for your organization. To learn more about Gartner’s research in this space and approaches for implementing adaptive security, view this webinar featuring Gartner’s Neil Macdonald and me as we talk about the Adaptive Security Architecture concept. And remember — drive safely!