If you spend a lot of time with security vendors and testing their products, you are likely bombarded with sales pitches touting “next generation” of X, “real-time prevention” of Y, or “advanced” Z. These are all good things but studies suggest (PDF) security professionals are in short supply, and they are busy fighting fires caused by current products and lack the time to evaluate new ones. Our intent is to provide a five-point guide for security professionals looking to embark on the path of security enlightenment.
In our experience through meeting with more than 1,000 organizations evaluating security products and services, the following considerations resonate:
No one gets excited about buying point products. An all too common customer pain point is the lack of context associated with a partial view of a security event. A full picture and visibility into what’s happening at the network and endpoint and with the user and device is needed. This includes an understanding of what’s happening on cloud networks not fully owned or controlled by the organization. Correlation of netflow, full packet capture and logs in a comprehensive platform is needed to illuminate the full picture.
How connected is your security architecture? How many disparate products and management consoles power your security program? It’s shocking that most security products are not extensible and prefer insularity to connectivity. If you are using products that don’t have APIs or if these are “coming in future releases,” you are using the wrong products. If you are using products that only connect to other products from the same vendor then you are using the wrong products. Are you forced to consume your vendor’s “premium” threat intelligence at the expense of discontinuing the “free” intelligence you had been using? Modern platforms are built with extensibility and ecosystems as a key design goal.
A growing number of security professionals benefit from the unconstrained processing power and unlimited forensic windows enabled by cloud powered security platforms. Legacy security vendors are also keen observers of this shift and have started “cloud washing” their legacy platforms. When a traditional security appliance vendor says you can use their firewall or web gateway on cloud infrastructure you should be highly skeptical. These products are virtual appliances of the original hardware spec and not architected to be delivered from, or in, the cloud and are often minimally featured. Improving and automating existing threat detection by implementing a data science approach and training resulting models with billions of attributes is another inherent benefit of the cloud. These approaches do not work with legacy products. Products architected in and for the cloud are relatively uncommon but should be prioritized over legacy approaches.
According to Gartner, “Adversary dwell time (the time a person or group are inside an environment undetected) is still a serious problem today. Organizations are still taking a long time to find out that they have been breached.” Real-time detection of complex security threats is necessary but often elusive. What is needed is a new approach that takes the latest, updated threat intelligence and replays historical network traffic and packet data to discover threats that were previously missed. This “retrospective” approach to continuous analysis introduces the concept of time into the security paradigm. Organizations that are trying to detect and prevent security threats in real time should also expand their efforts to include retrospective analysis. Not only do you shorten the adversary dwell time but you can use what you discover in the past to inform predictive discovery of security threats using this historical context and knowledge.
It is no longer acceptable that security be constrained to certain network locations or on certain underlying compute platforms. Security needs to be a utility which can be flexibly deployed where and when needed. Organizations should be able to collect and store relevant contextual information for as long as needed and valuable. The ability to store this information for an essentially unlimited amount of time is invaluable when news of a new zero day vulnerability breaks and security teams have to conduct forensic investigation to determine whether that vulnerability has ever impacted the business. Organizations need to extend the power of security simply and easily into the cloud. While it is possible to send cloud traffic through legacy security products such including firewall and gateway appliance mechanisms, it often requires architecting them into the cloud at the start.
Security teams will be stretched thin and the jobs they perform will become increasingly more complex. This results from the continued proliferation of attacks and skills required to understand what is happening amidst the lack of situational awareness that exists in most organizations. To meet these challenges, practitioners should consider the above criteria when evaluating new solutions and approaches.
About Ramon Peypoch
A proven leader in the security industry, Ramon Peypoch is responsible for product strategy, development and market delivery. Prior to ProtectWise, he was Vice President, Web Protection at McAfee.