Orchestrating Security Intelligence for faster and more effective incident response

The human brain is an incredibly complex system that functions miraculously well when all of its components are working together as one unit. However, when something goes wrong and connections break down, such as when a stroke occurs, the brain is no longer fully operational and basic functions cease.

Sad to say, but in some ways, IT security systems are like the human brain after the damage has been done. Look at just about any organisation’s security infrastructure these days and it’s easy to see real stumbling blocks to communication and efficient threat mitigation. In virtually every case, precious intelligence goes to waste because components of the system are cut off from one another. In fact, pathways have never existed. Isolated security products correlate data and events, pinpoint vulnerabilities, detect malware — and yet are incapable of sharing what they find with other security solutions that could take action if only they had been informed. As Cool Hand Luke said, 'What we’ve got here is a failure to communicate.'

The limitations are obvious. When proper intelligence gathering isn’t followed up by effective information sharing and automated, near-real-time response, gaps in security are big enough to drive the cyber-equivalent of an 18-wheeler through an organisation’s defences. This gives cyber criminals all the time they need to steal assets, including confidential data and intellectual property. In addition, instead of rapid system response to remedy issues, human intervention is constantly required. And, as we all know, manual intervention is time-consuming, expensive and does not scale.

Today’s sophisticated, targeted attacks, coupled with increasing network complexity, mobility and the phenomenal growth of non-traditional devices can present incredibly difficult challenges. Nobody can afford to have an incident response system that isn’t using all of its intelligence and powers of communication.

Orchestration to the rescue

Security vendors’ products are all vying to supplement the 'brain' — an organisation’s incident response team — with information. However, this overabundance of data often overloads the brain, creating analysis paralysis and delayed response. That’s where a new type of cyber security solution is required — one that goes well beyond traditional network access control (NAC) capabilities.

What’s required is a lightning-fast cyber nervous system that is capable of not only instantly identifying devices and allowing policy-based control of them, but also sharing security intelligence among multiple security vendors and extending enforcement and control capabilities to them in real-time.

By doing so, every security tool becomes smarter and far more responsive. Alerts are replaced with automated workflows and processes within security tools — thereby making enterprise-wide security vastly more effective.

In terms of identifying devices, this cyber nervous system must provide unprecedented visibility and profiling of the myriad devices and infrastructure components on corporate networks. Some are corporate-owned, such as servers, switches, routers and managed endpoints. Others include Bring Your Own Device (BYOD), Internet of Things (IoT) and rogue systems. Beyond seeing devices, it must share security insights about them among third-party security tools and facilitate automated workflows and security processes.

To explain this further — depending on an organisation’s policies, when the cyber nervous system sees an unknown and potentially dangerous device, it can send a notification to the host or end user (via email or on-screen pop-up) that it is limiting or blocking network access until the device complies with policies, and place the system in a secure virtual local area network (VLAN) until the device is deemed safe and compliant. What’s more, it can even audit hardware and software versions and initiate direct remediation to update applications, operating systems and firmware. It can also integrate with SIEM, endpoint protection, advanced threat detection and other third-party incident response systems to share information and orchestrate policy-based mitigation actions. IT security personnel can be kept apprised of automated actions via the console, email or text message.

The human factor is still important

Now, I’m not saying this ability to orchestrate will automate every single decision or process. Nothing is worse than brainless automation that disrupts productivity or glosses over security incidents. With effective orchestration, your brain remains in complete control with the ability to override and fine-tune decision-making. As your incident response team takes in more information, decisions become more refined and automated over time.

The result is a unified, highly intelligent and responsive security infrastructure that shares contextual information, accelerates/automates incident responses and improves incident response team insight while minimising human intervention requirements.

Just as circuits in the human brain connect specialised components to enable intelligence, the integration of disparate security tools makes orchestration and automation possible.

Laying the groundwork for a more intelligent security infrastructure

Clearly, isolation is the enemy of intelligence and action — both in neurological and security systems — and component integration is key. Through its orchestration and integration efforts, a well-connected cyber nervous system, like ForeScout CounterACT®, is committed to making free-flowing communication and coordinated security analysis and enforcement the rule rather than the exception in enterprise security systems everywhere.

Pedro Abreu, Chief Strategy Officer, ForeScout Technologies, Inc.