Most modern security architectures have network controls, endpoint solutions, identity and access management, threat intelligence, and so on — all functionally different solutions for each security domain doing their role extremely well.
They play a very specific role in a layered architecture; each generating machine data about what they are seeing, generating specific security intelligence. These individual layers often require people to “bridge” security domains and then get additional information / evidence / context and then bring everything together – to provide collective intelligence.
Defending against modern attacks requires end-to-end visibility and analysis of data – not just from security devices but machine data from anywhere and everywhere in the organisation. Historically, traditional SIEM’s ability to meet this requirement was limited due to the underlying architecture, consisting of fixed schema data stores and other rigid aspects. So in that regard, traditional SIEMs fell short due to their lack of flexibility.
It turns out that the biggest problem – that is, the problem that takes up the most time and is most costly to security operations teams, is making good decisions quickly, and taking effective actions quickly. This may sound generalised, so I’ll put it another way:
- “Good decisions” only happen if you have “adequate verificationbased on enough information”
- “Effective actions” mean you are making “the right adjustmentsin a timely manner”
When working across multiple security domains, verification and adjustments get complex. Verification means many steps – identification, scoping, and root cause analysis.
Adjustments also means many steps – containment and mitigation, possibly observation and characterisation of the threat, before implementing a more permanent policy change to adjust security posture. In any case, complexity is a killer when it comes to Security Operations Centre (SOC) efficiency:
It also happens that verification and adjustment are the most time-consuming, taking up between 72 per cent of the overall time to respond to an incident.
Which brings us full circle.
Security teams are the ones with the “collective security intelligence” needed to disrupt attacks and substantially increase the cost to the hackers attempting to breach organisations today.
Success is centered around customer success and production deployments – customers made it clear that data analytics is the ideal solution for solving the “all data is security relevant” problem by ingesting any and all machine data they could find.
These companies, are the same ones who are driving the Adaptive Response Initiative, which brings together the best technologies across the security industry to help organisations combat advanced attacks. These companies are utilising logical extension of capabilities within Splunk security solutions to also include bi-directional communication back out to the security domains to gather more data, take a range of actions and share information.
They are asking us to work with alliance partners to develop an open, extensible multi-vendor framework that anyone can take advantage of – these capabilities include actions such as retrieve detailed traffic analysis within a specific subnet when an incident requires deeper analysis; Or as a result of suspected endpoint infection, gather endpoint memory dump and if the infection is confirmed, take action such as terminate a process or if the infection is associated with a physical media like a USB device, the action could be to eject the USB device.
The possibilities are endless; companies are already demonstrating through their demand for collective security intelligence and are working to solve these incredibly important security problems.
Haiyan Song, SVP of Security at Splunk
Image source: Shutterstock/Titima Ongkantong