Detecting, identifying, and responding to cyber threats require a technology stack that provides visibility into all levels of the IT environment, collects, correlates and analyzes data, and automates many security functions. With so many new security solutions on the market, how do you decide which technologies are best for your business?
Table of Contents
Essential Components of a High-Performing Security Stack
4 Tips for Choosing the Right Technology
What if You Can’t Build the Technology Stack Your Business Really Needs?
Why Has the Security Stack Become More Important—and More Complicated?
Nobody questions the need for strong cybersecurity to counter a growing security threat. The question is how best to achieve it, especially at a time when security skills are in short supply and security teams are inundated with new, state-of-the-art technology solutions.
A good cybersecurity practice depends on people, processes, and texchnology. People provide the knowledge and experience needed to recognize serious threats and make important response and remediation decisions. Processes are the procedures and playbooks that spell out which actions a team needs to take in a range of attack scenarios. The technology solutions are the tools of the trade. Security professionals use those tools to monitor network traffic, detect threats, analyze incidents, and orchestrate proper threat responses.
People, processes, and technology all contribute to a security practice’s overall effectiveness. If highly skilled security people lack the tools they need to detect and respond to suspicious activity, their skills will be wasted. At the same time, if a security practice has all the latest technologies but lacks the skills to put them to good use, that investment in technology will be wasted.
Why are so many new security technologies coming to market now, and why is this growth proving to be such a challenge for security teams? Several key forces are at work here:
- The IT environments security practices must protect have become more complex. The old network perimeter has vanished. There is no longer a simple way to build gated access to your network environment. Today’s IT environments consist of legacy technology functioning side by side with multiple cloud instances; connected mobile devices of every kind, including tablets, phones, and watches; virtual services and microservices that spin up and spin down in minutes; and implementations of these things in such quantities that tracking them all becomes a major challenge. The attack surface has become large and complex, and attackers take full advantage of this situation.
- Threats have become more complex. In the good old days of cybercrime, you had to worry about rogue hackers messing up your systems. Today, cybercrime is an industry that generates hundreds of billions of dollars in revenue. It uses the most advanced technologies, many of which are now readily available to anyone with even modest technical skills. In addition to well-equipped rogues and highly organized, well-funded criminal enterprises, nation states are active participants in cybercrime, driven by motives that include disrupting systems, stealing data, and generating revenue through theft or extortion.
- Data assets have become more valuable to the business and critical to its survival. Business of all kinds depend on data and computer-driven processes. As a result, their data are more valuable to them than ever. Like any other valuable asset, the greater its value, the more attractive a target it becomes for bad actors. Some data have intrinsic market value that makes them worth stealing and selling. Even data that have little market value can be critical to the business that owns them. Such data become ripe for ransomware, and companies’ willingness to pay handsomely to get their data back has made ransomware one of the most common and lucrative forms of attack. The value of business data—and the risk to the business if it’s lost—has resulted in businesses investing more and more in new cybersecurity technology. That is a big driver behind the growth in new product offerings.
Another important factor behind the growth in the numbers and complexity of security products is that many new security tools have capabilities enhanced by advanced analytics and artificial intelligence. These tools are capable of ingesting and analyzing large quantities of activity data. They are more predictive, and some have automation capabilities. Some are highly specialized point solutions, while others are traditional tools with expanded capabilities. Still others are entirely new categories of technology. Many have overlapping functions, and as these security tools become more intelligent, choosing and implementing the right ones becomes more difficult. To further complicate matters, most cloud service providers offer their own security tools that you can use to secure your deployment in their cloud.
With all these options, how can you be sure that you’re building the right technology stack to secure your environment? How do you avoid wasting money on redundant services? How do you know if the security stack you’re building will provide adequate protection?
Essential Components of a High-Performing Security Stack
To answer questions about which security technologies you need, you must understand the essential technical functions a security stack must perform.
The goal of cybersecurity is to protect, detect, identify, respond to, and recover from threats to the IT environment. To accomplish these goals, the security practice needs visibility into what’s happening in the environment and the configurations that enable those activities. It must also have the ability to analyze those activities to determine whether they’re threating; it must be able to respond to threats in an appropriate and timely manner.
To perform all these tasks effectively and efficiently, the security practice needs four buckets of security technology:
- Technology that protects and provides data at the network and device levels. This includes a variety of security tools configured for the networks, connections, and devices in your environment. These tools provide front-line defenses against known threats, but they also generate logs and alerts that can be analyzed and correlated to help identify potential threats. Commodity technologies such as antivirus and antimalware software, firewalls, and gateways fall into this category. In addition, end point detection tools that monitor traffic at the device level and other, more advanced intrusion-detection tools capable of monitoring everything in the network, including cloud activity, user account activity, and security configurations, are important. These tools provide deeper visibility into the environment. Through machine learning, they can be trained to provide alerts based on the behavior characteristics of monitored data. The security stack must log activity for IP addresses, email addresses, domains, and file hashes to block known threats, but it must also perform deep packet inspection, analyze trends in network traffic, and correlate all real-time activity and logged data throughout the network. The stack must also have visibility into cloud services and virtual private networks as well as on-premises systems and mobile devices. All this visibility generates enormous amounts of data, which is why a security practice also needs a security information and event management (SIEM) system.
- Security information and event management. A SIEM system is technology that aggregates security data from all sources in the network for correlation and analysis. By consolidating network traffic and log data into dashboards, the SIEM system makes all those data intelligible to security analysts. It also handles large volumes of data that could never be processed manually. A SIEM system typically contains analytical tools that enable the security teams to view data in different ways so that they can better identify suspicious patterns. With enough data from enough sources, the SIEM platform can help analysts see correlations between seemingly unrelated events and activities in the IT environment. SIEM systems are also useful for consolidating data into reports that define an organization’s risk profile for the benefit of executives, decision makers, and stakeholders who are not security experts. A SIEM platform enriches the rest of the security stack by better using data generated by tools that protect the network and monitor data activity.
- Threat intelligence. Threat intelligence platforms integrate with SIEM systems to provide context for alerts. Many technologies in the security stack generate alerts. A common problem in working with modern security tools is alert fatigue, which results when analysts face so many alerts that they cannot investigate them all. Unfortunately, some of those uninvestigated alerts will be genuine attacks. Threat intelligence uses correlated SIEM data to help identify alerts that are seriously suspicious, and it provides enough context that an analyst can quickly see where the alert came from and which systems its activity has affected. Threat intelligence also correlates suspicious activity to threat information from threat feeds, which helps identify exactly what kind of threat that activity represents. Threat intelligence not only speeds detection and analysis of known threats but enables security analysts to quickly shift to deeper investigations that can uncover other, previously undetected activities. For these reasons, threat intelligence is a valuable tool for threat hunting.
- Security automation, orchestration, and response (SOAR). SOAR is a security technology that performs the following tasks:
- It automates tasks that security staff would typically have to perform manually, such as running vulnerability scans, querying logs, provisioning new users, and deprovisioning inactive accounts. It also automates responses to alerts based on predefined playbook response plans, which is especially useful in handling large volumes of alerts that a SIEM system generates. It can also filter out frequent false-positive alerts generated by tools in the stack that may be difficult to accurately tune to the environment. In that way, SOAR helps reduce alert fatigue
- SOAR orchestrates operations that involve two or more tools in the security stack. It helps automate event analysis by integrating and correlating outputs from other tools in the security stack.
SOAR speeds response to alerts and real threats, which is incredibly important at a time when many attacks move fast. Those faster responses mean that attacks can be blocked and mitigated more quickly. SOAR also frees security analysts from routine manual tasks so that they can apply their analytical skills to more challenging threats or work through aspects of a response plan that are too complex to automate. The net result is a more effective security practice.
4 Tips for Choosing the Right Technology
Although every security practice must perform the basic functions of protecting, detecting, identifying, and responding to threats, no two IT environments are identical.
Different businesses have different data risk profiles, different IT infrastructures, and different security budgets, all of which influence decisions about which tools they need. Without getting into an analysis of the many hundreds of security products on the market today, here are four tips that will help you make decisions about which solutions are best suited to your business:
- Have a security strategy. Before investing in one new security tool, you need to know what you have, what you’re lacking, and what your security practice must do that it is not currently doing. That requires a holistic review of the security practice.
Too many security practices identify a problem, and then rush out to buy a tool. They discover that they don’t have the expertise to fully implement the tool. Or, they implement it, and then forget about it, believing that they’re secure while the tool’s effectiveness declines over time. Too many security practices have too much underperforming or nonperforming technology.
Assess what you have, what its capabilities are, and whether it can cost-effectively contribute to the security you really need. In this way, you will identify gaps in your security practice and your technology stack. Otherwise, you will almost certainly invest in technology that won’t solve your security problem.
- Integration is key. Your security practice will always underperform if you think of the security stack as a collection of independent, specialized applications. A SIEM or SOAR platform won’t deliver value if it cannot communicate with network security tools and vice versa. The ability to look deep into the IT environment, detect suspicious activity, and respond quickly totally depends on having tools in the security stack that share data.
Note that many vendors claim interoperability with other security applications but fall short on that promise. Such interoperability often requires developing proprietary code to implement the tool and make things work together.
- Avoid proprietary solutions. Some solution providers offer services that depend on their highly proprietary code. Such solutions are difficult to implement and costly to maintain over time. Stick with well-known, best-of-breed solutions so that you can spend more time analyzing results than setting up tools.
- Minimize redundant functionality in your layered defenses. If you take a nonstrategic approach to technology purchases and combine that approach with the trend of vendors adding new capabilities to their products, you set yourself up for having a technology stack that blasts meaningless alerts at you without increasing your security. To avoid too much noise from too many tools, select tools that complement each other rather than provide overkill through redundancy.
What if You Can’t Build the Technology Stack Your Business Really Needs?
The ideal security stack includes complementary technologies for network protection and detection, data aggregation, threat intelligence, security orchestration, and automation. But, many businesses do not have the resources they need to build and maintain these capabilities.
Just as threats are constantly evolving, so too are defensive technologies and network architectures. To keep up, security practices must continuously research and test new products. They must always evaluate the threat landscape. In addition, it’s not just about the technology. To get the most out of a security stack, the security team needs skills to implement and maintain those tools.
An increasingly attractive option for many businesses is engaging with a managed security service provider (MSSP) to cover some portion of their security program. Doing so doesn’t remove all security responsibilities from the business, however. Although MSSPs can take on many routine aspects of running a security program, the business still needs to actively develop its security strategy to support an appropriate level of risk mitigation. They must also work with the MSSP to triage complex threat events. In the event of an actual breach, the MSSP will play an important role in the response.
One big advantage that comes with an MSSP is its security stack. When a business engages with an MSSP, the technology that MSSP uses becomes part of the business’ security stack—an important consideration. The MSSP is a cybersecurity business staffed by security professionals whose livelihood depends on having integrated, state-of-the-art security technologies. To remain competitive, MSSPs must maintain their technology stack, which means that any business contracting for their services will immediately realize the benefits of
their
high-value security technology.
Conclusion
It’s long been said that the only security practices that have never suffered a breach are those that have not yet discovered the breach that has already happened.
Today’s reality is that we are living in a world of persistent, automated, multivector attacks that keep trying until they penetrate the network, and even then their work has just begun. Operating with a strong security program has become a business necessity. At the heart of today’s successful security practice is a well-integrated technology stack that provides visibility into all levels of the IT environment; collects, correlates, and analyzes data; and automates many security functions for fast detection and response.
The key to building an integrated security stack is to honestly consider your current strengths and weaknesses, and then build a complementary tool set that will enable you to reach your security goals. If you don’t have the resources to do it in house or you cannot build it fast enough, consider an MSSP that can deliver the capabilities your business demands.