Organizations can protect themselves against advanced threats by adopting the right strategy. This strategy involves getting the right players on the field, with a complementary set of skills that will provide a team with the right mix of capabilities. In deploying security products into your IT environment, you are looking for the right mix of solutions (security monitoring, protection, analysis, analytics and response capabilities) in order to cover the field. Deploying an effective and efficient set of security solutions will provide you maximum benefits, with improved operational efficiencies and costs.
But how do you find the right set of players?
Here are some key ingredients for fielding the right team:
- Prevention is Mandatory. Traditional methods of prevention have often failed, leaving many to believe detection is the only way forward. This is a dangerous proposition.
- Security Intelligence is the Underpinning. Specialized knowledge in one domain is not enough. It takes enterprise-wide visibility and maximum use of data to stop today’s threats.
- Integration Enables Protection. The best defense is relentless improvement. Technologies must seamlessly integrate with processes and people across the entire life cycle of attacks.
- Openness must be embraced. Security teams need the ability to share context and invoke actions between communities of interest and numerous new and existing security investments.
Let’s examine how we can select security solutions that will provide a good mix of capabilities and provide the above elements. In this example, we will focus on protecting our applications from denial of service and web based attacks. We will need to proactively monitor and analyze our network and application traffic to discover these attacks and raise a security event if suspicious behavior is found. We will want to cover the first point and deploy a security solution for discovery, and report on these types of attacks.
For the second point, we will need to deploy an SIEM to enable correlation of these security events, as there will be a very large number of events throughout our enterprise. We will need to filter, correlate and prioritize these events so that our operations team is not flooded can focus on a clearer set of security incidents. These tools are key players in our threat protection system. But we must be careful about how we select these products. If they do not provide integration and share context, we will struggle with interpreting these individual products’ user interfaces, detailed analysis and individual viewpoints, and suffer longer operational response times as a result.
Let’s take a look at Radware DefensePro, Appwall and IBM QRadar SIEM. These products provide a focus on the importance of ensuring strong integration capabilities. The integration of our DDoS products (DefensePro) and Web Application Firewall (Appwall) into the IBM QRadar SIEM enables joint customers to correlate the events of these network or application attacks with other information and events across the enterprise. This is an increasingly critical capability as we see the growth of complex attack campaigns with DDoS tactics or application logic attacks that don’t work alone, but rather as a part of broader wave of attacks with multiple TTPs.
This focus on integration supports what we would call automated attack lifecycle management – a minimization of the need for humans to do information or event correlation and instead focus their energy towards strategic security decisions that balance threat with risk and response. Fight bots with bots, we would say . . . allow the automated security technologies that are tuned to the pace of the threat landscape to make initial policy changes, and apply the human decision making process at a higher level.
For more information, visit our IBM Technology Partnership page.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Russ has extensive experience (38 years) in systems, network, applications, business systems, storage and security Russ worked in Tivoli and IBM enterprise management on business systems management, applications management, network management, LAN management, systems, and middleware and storage management. Russ has experience with mainframe and distributed products, LAN network management, internet management applications, business impact management, storage and security offerings. Russ has worked through the full life cycle of software development: product management, development, test, support, and beta programs. Russ has extensive experience within the development community and participated in cross company marketing efforts, standards definition and leadership, and product partnership programs. Russ has worked with the sales and marketing teams on generating and presenting collateral, internally and externally. Russ has worked with product architectures, product development and support organizations to ensure project understanding and linkage. Russ has also participated in these phases of the development process. Russ has experience working across teams, both within IBM and outside of IBM. This experience includes providing joint collateral development, defining working relationships, and developing solutions. Russ’s current role is Program Manager for technology alliances for the IBM Security group. Russ leads a team of technical staff, working with technology partners, to integrate and add value to the IBM Security product portfolio. Russ defines the group process and executes with his peers across sales, product management, development, support and services to provide technology partnership solutions that provide IBM with a rich ecosystem, contributing to higher customer value. Russ is the key leader for the evolution of our IBM security ecosystem, aligning IBM strategy and development with the needs of expanding our technology partner solutions.