Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
11:10 AM
Simon Marshall
Simon Marshall
Simon Marshall

The Gift of Simple Security

Alert Logic's Marc Willebeek-Lemair has seen complex security and now thinks that simple solutions are the best for most enterprises.

The need for security is leading some companies to build security schemes based on dozens of different products. The need to manage all of those products is leading some security professionals to re-think long-held ideas on the best strategy for security.

For Alert Logic, founded in 2002, it's a case of somewhat reneging on a bet that Marc Willebeek-Lemair, now CSO, placed a while back on a best-of-breed security system strategy as best practice. In a world where in extreme cases some organizations report deploying as many as 50 separate security solutions, a lot of enterprises are scratching heads about how many they really need to completely secure their businesses. They're still considering the gamut, while Willebeek-Lemair is trying to offer fresh air through a move to cloud and dispensation of point solutions.

Reform is top of the list for Willebeek-Lemair, having been a pioneer and early advocate for best-of-breed security working at Tipping Point, where he was CTO and founder in the early Noughties, and also CTO of 3Com. According to him, "defense-in-depth" is no longer viable. Obviously, many systems are bought each year and integrated, but they are by description designed in a vacuum, leaving the enterprise to join the integration dots that support reporting and prioritization.

"You need look no further than the Target breach or almost any other breach-of-the-week to see this misalignment of risk and security focus exacerbated by the traditional piecemeal best-of-breed approach," he told SecurityNow. "We need experts in the defensive loop and there are not enough of them to go around."

His conceptual approach adapts to where the successful automation of existing systems can be more effectively handled by analyst teams. That belief is rooted in the fact that many enterprises are reaching a crunch. They have so many systems, feeding high-volume and disparate data to the analyst team, that this is in itself an issue; analysts are number crunchers rather than analyzers.

"Converting expert knowledge into automated detection requires control over the content within the various point products and the layer above them (usually a SIEM), where analytics that combine underlying point-product events best capture expert knowledge" said Willebeek-Lemair.

According to Cisco's 2017 Annual Cybersecurity Report, about 55% of companies use at least six security vendors and 65% deploy no less than six cyber defense products. Alert Logic says that there are scenarios were companies have, on average, 17 point-product security solutions in their organizations. There are statistics that exceptionally show large enterprises can have as many as 50 deployed.

Willebeek-Lemair's point is that engaging as many point systems as enterprises now feel necessary to deal with diverse threats has passed the point of being effective versus internal resources to run them effectively. Many systems but too few people. The resultant automation is a common theme with Willebeek-Lemair, and it may resonate well where many developers and their customers are beginning to feel comfortable. Ultimately, he recommends a cloud approach.

"The existing Do-It-Yourself (DIY) model where customers buy a plethora of best-of-breed point-products, plug them into a SIEM and hire a team of experts in the SOC simply isn't working. The gap between the theory and practice of this approach is too large," he said.

Conversely, using the cloud instead of traditional point products is an alternative approach that might enable security teams to get to the crux faster, especially as threats or vectors multiply. There's no dispute that a conclusion that large enterprises need 50+ systems to be secure is incorrect or at least unworkable. The better replacement for that conclusion is that expert knowledge must be applied to detection systems so that they can be successfully automated.

According to Willebeek-Lemair, CISOs are struggling to find a good path forward. A lot of them realize that frankly the current set-up is not working, but are hamstrung by the amount of time spent on today's integration processes from multiple systems. In his earlier example, Target had a lot of threat information coming in, in fact, but too much.

"Target had security solutions deployed, and they were receiving alerts. They just didn't know which ones to prioritize, and this is symptomatic of the challenges businesses currently face," said Willebeek-Lemair.

Currently the approach is for SIEM systems to collect data from multiple point systems for the SOC, and this seems to be the most common set-up. But it's getting more difficult and expensive, apparently, to use this foundation going forward. The old model existed while the volume and type of threats were relatively small, but expertise was numerically high. It worked well as a model to date, in most cases, but as the threat world gets busier, it is falling apart, and decrepitude ensues.

"Information, employees and risks are much more fluid, moving from one place to the other" said Willebeek-Lemair. Conversely, "As more and more companies go online and get exposed to the cyber threat environment, the model stayed the same. More and more experts were needed, and the attack surface grew in complexity. We just outgrew the old model and it doesn't scale to the higher demand of experts nor does it fit the available budgets."

The new one is a faster and simplified integration, which offers more information-sharing and visibility by removing silos. This information-sharing and visibility are also critical factors in machine learning's successful integration into the security infrastructure. The implication is that the cloud holds answers to both the quantitative and qualitative report-handling as well as the machine learning that increases threat analysis and remediation.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
PUBLISHED: 2022-05-27
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
PUBLISHED: 2022-05-27
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
PUBLISHED: 2022-05-27
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient va...