During my time in cybersecurity I have seen a number of different installations and architectures. I have also seen all the horror stories, and most of the strangeness that is out there. And with that time and experience, I’ve come to a realisation that you cannot group security capabilities or maturity in a sizing model. This is because they each have a unique set of challenges that make security complex.
Whether a company is large or small, it is my belief that security can never be considered to be simple. There are too many choices, too many tools, too many avenues to consider and too much constant change for all security people everywhere to catch up. So, we end up leap frogging, especially as it relates to tools. Buyers are generally looking for the shiny new item so they can feel more secure and create a perception of additional safety. Unfortunately, the latest technology often doesn’t make security simple.
So how can companies large and small make security simpler? It comes by looking at their architecture — the picture as a whole. If you look at any large security vendor today, they are all discussing one common theme. That is, a secured architecture speaking the same language and using the information from disparate security devices to update or augment the inherent protections found in each individual tool. Sounds fantastic, right? Companies will be able to buy everything from a single vendor and they will all play nice together… sometimes.
However what if you could create your own architecture? What if you could communicate through context and a common vernacular about what’s occurring in your network to other users directly? This would allow Incident Response, Vulnerability Scan, Threat Intel, Endpoint, and Network Ops to speak the same language and understand what is knocking on the door and how that is related to the call out seen on the endpoint. Most importantly, what if you could do all this with the tool set you already have? The ultimate goal would be to select the right tool for the job at the right time, so the ultimate answer is to create your own architecture. This way, you can find and use the tools that you can get the most measurable value from and use them to their full potential inside your security space. The question becomes, how do you go about building that architecture?
The first holistic piece to be handled is a simple dictionary. The security industry may seem outlandish but think for a moment on the number of times you have spoken in an acronym, or used a code word for a project that your company is monitoring. Does the person you are speaking to really understand what you are talking about? This is a central problem, and value that ThreatQ’s Threat Library can bring to your organisation. It provides the dictionary, context and internal reference information for a simple request, allowing everyone that interacts with the system to understand. What used to take weeks, compiling information and questioning multiple groups, can now be queried directly from the system.
The second holistic piecehas already been hinted at — an information exchange. This is a system built to create and provide referential data to multiple systems in ways that natively make sense to the consumer. Being able to reduce the Time to Detection of an issue is critical in security. Where Google was once the answer, ThreatQ has the answers already built in. Using Open Exchange and Threat Library that decision is now repeatable and explainable.
The third holistic piece is a simple curation of data. We need to be able to quickly determine what alert is valid, what tool has valid results, and if the information that has been received externally has valid elements for my internal needs. Having pre-built or automated curation of data within a Threat Library allows a user to focus on the analytics side of the house and allow for the systems in place to get new data, enrich that data, even score or prioritise it for transmission to other teams or systems in a standardised way.
Let’s face it, we are constantly looking for systems to make our life simpler but in security, there are no interchangeable parts. Instead, we have to find ways to automate what we can to present a combined, reference-able and context laced data set so that humans can make a final decision. Security is not simple enough to automate it away successfully. But it can be simpler by making the human smarter, so events, logs and analysis can be moved through in a faster and more repeatable manner.
Steve Rivers, Threat Intelligence Engineer, ThreatQuotient
Image Credit: ESB Professional / Shutterstock