Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/14/2017
11:10 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

The Gift of Simple Security

Alert Logic's Marc Willebeek-Lemair has seen complex security and now thinks that simple solutions are the best for most enterprises.

The need for security is leading some companies to build security schemes based on dozens of different products. The need to manage all of those products is leading some security professionals to re-think long-held ideas on the best strategy for security.

For Alert Logic, founded in 2002, it's a case of somewhat reneging on a bet that Marc Willebeek-Lemair, now CSO, placed a while back on a best-of-breed security system strategy as best practice. In a world where in extreme cases some organizations report deploying as many as 50 separate security solutions, a lot of enterprises are scratching heads about how many they really need to completely secure their businesses. They're still considering the gamut, while Willebeek-Lemair is trying to offer fresh air through a move to cloud and dispensation of point solutions.

Reform is top of the list for Willebeek-Lemair, having been a pioneer and early advocate for best-of-breed security working at Tipping Point, where he was CTO and founder in the early Noughties, and also CTO of 3Com. According to him, "defense-in-depth" is no longer viable. Obviously, many systems are bought each year and integrated, but they are by description designed in a vacuum, leaving the enterprise to join the integration dots that support reporting and prioritization.

"You need look no further than the Target breach or almost any other breach-of-the-week to see this misalignment of risk and security focus exacerbated by the traditional piecemeal best-of-breed approach," he told SecurityNow. "We need experts in the defensive loop and there are not enough of them to go around."

His conceptual approach adapts to where the successful automation of existing systems can be more effectively handled by analyst teams. That belief is rooted in the fact that many enterprises are reaching a crunch. They have so many systems, feeding high-volume and disparate data to the analyst team, that this is in itself an issue; analysts are number crunchers rather than analyzers.

"Converting expert knowledge into automated detection requires control over the content within the various point products and the layer above them (usually a SIEM), where analytics that combine underlying point-product events best capture expert knowledge" said Willebeek-Lemair.

According to Cisco's 2017 Annual Cybersecurity Report, about 55% of companies use at least six security vendors and 65% deploy no less than six cyber defense products. Alert Logic says that there are scenarios were companies have, on average, 17 point-product security solutions in their organizations. There are statistics that exceptionally show large enterprises can have as many as 50 deployed.

Willebeek-Lemair's point is that engaging as many point systems as enterprises now feel necessary to deal with diverse threats has passed the point of being effective versus internal resources to run them effectively. Many systems but too few people. The resultant automation is a common theme with Willebeek-Lemair, and it may resonate well where many developers and their customers are beginning to feel comfortable. Ultimately, he recommends a cloud approach.

"The existing Do-It-Yourself (DIY) model where customers buy a plethora of best-of-breed point-products, plug them into a SIEM and hire a team of experts in the SOC simply isn't working. The gap between the theory and practice of this approach is too large," he said.

Conversely, using the cloud instead of traditional point products is an alternative approach that might enable security teams to get to the crux faster, especially as threats or vectors multiply. There's no dispute that a conclusion that large enterprises need 50+ systems to be secure is incorrect or at least unworkable. The better replacement for that conclusion is that expert knowledge must be applied to detection systems so that they can be successfully automated.

According to Willebeek-Lemair, CISOs are struggling to find a good path forward. A lot of them realize that frankly the current set-up is not working, but are hamstrung by the amount of time spent on today's integration processes from multiple systems. In his earlier example, Target had a lot of threat information coming in, in fact, but too much.

"Target had security solutions deployed, and they were receiving alerts. They just didn't know which ones to prioritize, and this is symptomatic of the challenges businesses currently face," said Willebeek-Lemair.

Currently the approach is for SIEM systems to collect data from multiple point systems for the SOC, and this seems to be the most common set-up. But it's getting more difficult and expensive, apparently, to use this foundation going forward. The old model existed while the volume and type of threats were relatively small, but expertise was numerically high. It worked well as a model to date, in most cases, but as the threat world gets busier, it is falling apart, and decrepitude ensues.

"Information, employees and risks are much more fluid, moving from one place to the other" said Willebeek-Lemair. Conversely, "As more and more companies go online and get exposed to the cyber threat environment, the model stayed the same. More and more experts were needed, and the attack surface grew in complexity. We just outgrew the old model and it doesn't scale to the higher demand of experts nor does it fit the available budgets."

The new one is a faster and simplified integration, which offers more information-sharing and visibility by removing silos. This information-sharing and visibility are also critical factors in machine learning's successful integration into the security infrastructure. The implication is that the cloud holds answers to both the quantitative and qualitative report-handling as well as the machine learning that increases threat analysis and remediation.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9417
PUBLISHED: 2020-10-20
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction...
CVE-2020-15264
PUBLISHED: 2020-10-20
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking ...
CVE-2020-15269
PUBLISHED: 2020-10-20
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
CVE-2019-9080
PUBLISHED: 2020-10-20
DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
CVE-2020-15931
PUBLISHED: 2020-10-20
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a ...