Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11:10 AM
Simon Marshall
Simon Marshall
Simon Marshall

The Gift of Simple Security

Alert Logic's Marc Willebeek-Lemair has seen complex security and now thinks that simple solutions are the best for most enterprises.

The need for security is leading some companies to build security schemes based on dozens of different products. The need to manage all of those products is leading some security professionals to re-think long-held ideas on the best strategy for security.

For Alert Logic, founded in 2002, it's a case of somewhat reneging on a bet that Marc Willebeek-Lemair, now CSO, placed a while back on a best-of-breed security system strategy as best practice. In a world where in extreme cases some organizations report deploying as many as 50 separate security solutions, a lot of enterprises are scratching heads about how many they really need to completely secure their businesses. They're still considering the gamut, while Willebeek-Lemair is trying to offer fresh air through a move to cloud and dispensation of point solutions.

Reform is top of the list for Willebeek-Lemair, having been a pioneer and early advocate for best-of-breed security working at Tipping Point, where he was CTO and founder in the early Noughties, and also CTO of 3Com. According to him, "defense-in-depth" is no longer viable. Obviously, many systems are bought each year and integrated, but they are by description designed in a vacuum, leaving the enterprise to join the integration dots that support reporting and prioritization.

"You need look no further than the Target breach or almost any other breach-of-the-week to see this misalignment of risk and security focus exacerbated by the traditional piecemeal best-of-breed approach," he told SecurityNow. "We need experts in the defensive loop and there are not enough of them to go around."

His conceptual approach adapts to where the successful automation of existing systems can be more effectively handled by analyst teams. That belief is rooted in the fact that many enterprises are reaching a crunch. They have so many systems, feeding high-volume and disparate data to the analyst team, that this is in itself an issue; analysts are number crunchers rather than analyzers.

"Converting expert knowledge into automated detection requires control over the content within the various point products and the layer above them (usually a SIEM), where analytics that combine underlying point-product events best capture expert knowledge" said Willebeek-Lemair.

According to Cisco's 2017 Annual Cybersecurity Report, about 55% of companies use at least six security vendors and 65% deploy no less than six cyber defense products. Alert Logic says that there are scenarios were companies have, on average, 17 point-product security solutions in their organizations. There are statistics that exceptionally show large enterprises can have as many as 50 deployed.

Willebeek-Lemair's point is that engaging as many point systems as enterprises now feel necessary to deal with diverse threats has passed the point of being effective versus internal resources to run them effectively. Many systems but too few people. The resultant automation is a common theme with Willebeek-Lemair, and it may resonate well where many developers and their customers are beginning to feel comfortable. Ultimately, he recommends a cloud approach.

"The existing Do-It-Yourself (DIY) model where customers buy a plethora of best-of-breed point-products, plug them into a SIEM and hire a team of experts in the SOC simply isn't working. The gap between the theory and practice of this approach is too large," he said.

Conversely, using the cloud instead of traditional point products is an alternative approach that might enable security teams to get to the crux faster, especially as threats or vectors multiply. There's no dispute that a conclusion that large enterprises need 50+ systems to be secure is incorrect or at least unworkable. The better replacement for that conclusion is that expert knowledge must be applied to detection systems so that they can be successfully automated.

According to Willebeek-Lemair, CISOs are struggling to find a good path forward. A lot of them realize that frankly the current set-up is not working, but are hamstrung by the amount of time spent on today's integration processes from multiple systems. In his earlier example, Target had a lot of threat information coming in, in fact, but too much.

"Target had security solutions deployed, and they were receiving alerts. They just didn't know which ones to prioritize, and this is symptomatic of the challenges businesses currently face," said Willebeek-Lemair.

Currently the approach is for SIEM systems to collect data from multiple point systems for the SOC, and this seems to be the most common set-up. But it's getting more difficult and expensive, apparently, to use this foundation going forward. The old model existed while the volume and type of threats were relatively small, but expertise was numerically high. It worked well as a model to date, in most cases, but as the threat world gets busier, it is falling apart, and decrepitude ensues.

"Information, employees and risks are much more fluid, moving from one place to the other" said Willebeek-Lemair. Conversely, "As more and more companies go online and get exposed to the cyber threat environment, the model stayed the same. More and more experts were needed, and the attack surface grew in complexity. We just outgrew the old model and it doesn't scale to the higher demand of experts nor does it fit the available budgets."

The new one is a faster and simplified integration, which offers more information-sharing and visibility by removing silos. This information-sharing and visibility are also critical factors in machine learning's successful integration into the security infrastructure. The implication is that the cloud holds answers to both the quantitative and qualitative report-handling as well as the machine learning that increases threat analysis and remediation.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.