Organizations can protect themselves against advanced threats by adopting the right strategy. This strategy involves getting the right players on the field, with a complementary set of skills that will provide a team with the right mix of capabilities. In deploying security products into your IT environment, you are looking for the right mix of solutions (security monitoring, protection, analysis, analytics and response capabilities) in order to cover the field. Deploying an effective and efficient set of security solutions will provide you maximum benefits, with improved operational efficiencies and costs.
But how do you find the right set of players?
Here are some key ingredients for fielding the right team:
- Prevention is Mandatory. Traditional methods of prevention have often failed, leaving many to believe detection is the only way forward. This is a dangerous proposition.
- Security Intelligence is the Underpinning. Specialized knowledge in one domain is not enough. It takes enterprise-wide visibility and maximum use of data to stop today’s threats.
- Integration Enables Protection. The best defense is relentless improvement. Technologies must seamlessly integrate with processes and people across the entire life cycle of attacks.
- Openness must be embraced. Security teams need the ability to share context and invoke actions between communities of interest and numerous new and existing security investments.
Let’s examine how we can select security solutions that will provide a good mix of capabilities and provide the above elements. In this example, we will focus on protecting our applications from denial of service and web based attacks. We will need to proactively monitor and analyze our network and application traffic to discover these attacks and raise a security event if suspicious behavior is found. We will want to cover the first point and deploy a security solution for discovery, and report on these types of attacks.
For the second point, we will need to deploy an SIEM to enable correlation of these security events, as there will be a very large number of events throughout our enterprise. We will need to filter, correlate and prioritize these events so that our operations team is not flooded can focus on a clearer set of security incidents. These tools are key players in our threat protection system. But we must be careful about how we select these products. If they do not provide integration and share context, we will struggle with interpreting these individual products’ user interfaces, detailed analysis and individual viewpoints, and suffer longer operational response times as a result.
Let’s take a look at Radware DefensePro, Appwall and IBM QRadar SIEM. These products provide a focus on the importance of ensuring strong integration capabilities. The integration of our DDoS products (DefensePro) and Web Application Firewall (Appwall) into the IBM QRadar SIEM enables joint customers to correlate the events of these network or application attacks with other information and events across the enterprise. This is an increasingly critical capability as we see the growth of complex attack campaigns with DDoS tactics or application logic attacks that don’t work alone, but rather as a part of broader wave of attacks with multiple TTPs.
This focus on integration supports what we would call automated attack lifecycle management – a minimization of the need for humans to do information or event correlation and instead focus their energy towards strategic security decisions that balance threat with risk and response. Fight bots with bots, we would say . . . allow the automated security technologies that are tuned to the pace of the threat landscape to make initial policy changes, and apply the human decision making process at a higher level.