The Problem with Siloed Security Products
by Andrew Gogarty, Chief Security Evangelist
02 September 2020
What is siloed security?
Organisations have invested in cyber security products and services for a number of years. However, in most cases, these security products are designed for a specific purpose. For example, an endpoint security product is designed to protect endpoint devices whilst an email security gateway is designed to ensure only safe emails reach your users and sensitive or confidential data is not sent to the wrong recipient. As a result, each of the deployed security products is only aware of the context of what’s happening within its own realm.
An endpoint security product is not going to be aware of any phishing emails detected by your email security gateway, and your email security gateway is not going to be aware of any malware detected on your endpoints.
These products are essentially operating in isolation, and that is what is meant by siloed security.
Why is siloed security a problem?
Security tools generate alerts. However, siloed security tools are generating alerts relevant to its own realm, since they do not have the context of what’s happening in other protection areas.
This can result in:
- False positives: Essentially a “false alarm” where a security tool creates an alert for something that turns out is not a real incident.
- False negatives: When a security tool fails to detect a genuine attack or threat.
To prevent any genuine threats from negatively impacting their organisations, security teams need to monitor and react to these alerts and qualify which ones are genuine threats that require further investigation.
In order to ensure operational resilience in today’s landscape, organisations have deployed multiple security products across the various areas where users or applications interact with data. If each of these tools are operating solely in the context in their isolated discipline, the volume of alerts multiplied by the number of security tools can lead to an unmanageable number of alerts for security teams to monitor and respond to. In addition, by operating in isolation without the context of other activity, the dangerous risk of false negatives increases.
It’s well publicised that there is a significant cyber security skills shortage globally; ICSA reports that 62% of organisations’ security teams are understaffed. With this resource shortage, it’s paramount to ensure efficiency amongst security teams for organisations to effectively react and respond to genuine threats.
High volumes of uncorrelated alerts can result in multiple issues that can impact the speed of detection and response for security teams. These include:
Valuable response and remediation time can be wasted on qualifying out false positives instead of focusing on responding to and addressing genuine threats against the organisation.
Understanding the whole picture requires correlating these alerts, which if done manually can be time consuming and often leads to genuine threats or malicious activity getting missed; the average time to identify a breach in 2019 was 206 days.
Containing or responding to genuine threats that are identified can be hindered as the security team have to sift through the logs from multiple siloed security products to get an understanding of what has actually happened and what has been impacted.
In cyber security, the time it takes to detect and respond to a breach is a critical factor in minimising any operational or financial impact.
What is fuelling the problem?
Cyber-criminal activity is on the rise and is not expected to reduce for the foreseeable future whilst they generate increasing revenues for themselves by:
- Making your data unavailable or public
- Using access to your data to learn and exploit your business processes to target your customers or suppliers
- Selling your intellectual property
Historically the answer was to protect your borders with security tools such as firewalls and antivirus. 10 years ago, this approach was relatively successful in ensuring data was protected and facilitating business resilience against cyber threats.
However, there are a number of driving forces that make the approach of simply deploying security tools across multiple protection areas ineffective in today’s threat landscape.
The barriers to entry to become a cybercriminal are now almost non-existent; there are widely available malicious toolkits and “as a service” offerings on dark web criminal marketplaces.
Organisations are driving forward with the digital transformation strategies they need to both survive and thrive in their respective industries. This modern way of engaging with customers and partners not only improves customer experiences, but gives the ability to draw valuable insights from captured data to fuel business growth.
Unfortunately, one of the side effects of digital transformation is that business-critical data no longer sits behind the traditional protection layers that organisations have invested in. This can create blinds spots around who is accessing that data and what device the data is being accessed from. Cyber–criminals are exploiting this situation by stealing cloud platform credentials through phishing attacks or automated brute force login attempts to gain access to this data for nefarious purposes.
What can be done to address the challenges presented by siloed security products?
There are a number of approaches that can be employed to overcome the challenges highlighted earlier in this paper. The aim should be to ensure centralised visibility and control over access to your environment and data. You cannot effectively ensure the right controls are in place without having visibility over what is happening. How can you achieve centralised visibility to understand the full picture?
1) Pull the logs together to join up the dots and get an understanding of the bigger picture
A commonly adopted approach is to take advantage of technology known as a Security Incident & Event Monitoring (SIEM) solution. SIEM tools are designed to provide a single data store where all security product alerts are consolidated. It is also recommended to enrich the dataset with third party intelligence feeds to add more context about the latest threats that might not yet be detected by your security products.
From there, a SIEM solution facilitates the capability to build rules to correlate the information fed into the data lake. This ensures security teams can focus on genuine security incidents. With correlation rules, it’s also possible to build rules that prioritise incidents based on an organisation’s priority assets, data, and employees to ensure that security teams can respond quickly to the most critical incidents.
Like other security products, SIEM solutions are not effective unless they are appropriately configured and maintained. The effectiveness of SIEM is dependent on leveraging human-built rules, designed to correlate the information across all of your security tools to ‘reduce the noise’ and enable incident responders to focus on the genuine threats that can impact an organisation.
The approach of deploying SIEM effectively can often be hindered for organisations that do not have the resource, skills, and capacity to efficiently maintain the solution. Many organisations have invested in SIEM whilst underestimating the resource element and failed to realise the expected value from this investment.
2) Consolidate security tools into an integrated set of tools that work together.
There are only a handful of security vendors that provide a truly integrated security stack that spans across most of the required protection areas. An integrated security stack leverages intelligence sharing across each of your protection areas to create a simple, joined-up approach which uses security visibility and control to protect against the latest threats.
Whilst this approach can reduce the challenges faced by security teams, it’s still recommended to leverage a SIEM tool. This ensures you can correlate security events from other security tools or devices that fall outside of that vendor ecosystem, in addition to third party threat intelligence feeds. This approach helps security teams focus on the genuine threats faced by their organisations.
3) Outsource the security monitoring to a third party
Many organisations do not have the luxury of a large security team with experience of SIEM correlation rule building and incident response. These organisations can consider outsourcing to a provider who can ingest all your security events into a hosted platform. By outsourcing to a third party, organisations can leverage their provider’s threat intelligence that’s been gained from supporting other organisations, and their experience of building correlation rules to filter out false positives/false negatives and generate incidents that need your security team’s attention.
To realise maximum efficacy in ensuring operational resilience against cyber-criminals, some providers will not only be reactive to security incidents but will also proactively leverage the centralised visibility facilitated by their platform. These providers will use their threat intelligence to perform threat hunting, which can detect criminal activity that may have evaded your security defences.
Proactively searching for cyber threats or cyber criminal activity that have slipped past your security defences
Using threat intelligence to leverage insights into later cyber criminal tactics, techniques and procedures (TTP) to discover if these specific behaviours are present in the environment
- Reduced breaches and breach attempts
- Reduced attack surface area being targeted by cyber criminals
- Increased speed and accuracy of a response
- Measurable improvements in cyber security maturity
Secon Cyber take things a step further with ConnectProtect® Managed Detection and Response. We provide incident response that leverages the experience of our advanced security operations centre (SOC). This dedicated team of experienced cyber security professionals has the right skills and training to respond to cyber security incidents highlighted by our platform.
ConnectProtect® Managed Detection and Response enables organisations to take advantage of a SIEM, threat intelligence, and experienced incident responders who work around the clock to ensure genuine security incidents are addressed as quickly as possible to minimise the impact of cyber–criminal activity on your organisation. With ConnectProtect® Managed Detection and Response, all of this can be achieved by leveraging your existing security investments, without the need to staff a 24×7 SOC or invest in a SIEM tool.