The huge challenge presented by today’s attack campaigns – multi-stage attacks, with thousands of constantly evolving attack vectors – have led organizations to buy large number of of security products, and to rely on more IT data sources, in order to defend their networks.
As exciting new technologies arise – advanced network and end point, anti-malware, network and entity behavioral analysis systems, anti-fraud, deception technologies, EDR systems, threat intelligence feeds, and many more – organizations have been piling on the products and the huge amount of data they generate. Suppliers and service providers dangle the fear of repercussions of not having and collecting data from a specific product or service, and becoming vulnerable to this or that attack. The buying spree goes on, and the costs to the organization rise, but the effectiveness of the platform as a whole is often unclear and incomplete, at best.
At the end of the day, CISOs are finding it very challenging to be able to assess the performance of the security products in their organization’s arsenal. Which product is successful in identifying a risk, providing more visibility into it, or mitigating it ? Which product failed to do what it was supposed to and left the organization vulnerable? Which products were perhaps effective 6 months or a year ago, but have not evolved to be able to address current attacks? Which product was activated in which scenario, and was it the right choice? And maybe the most important question, are the different products able to work together effectively?
Many CISOs deal with the daily frustrations of not having the answers to these questions, while continuing to pay high amounts for maintaining the tools and collecting their data. Because their security platform is made up of hundreds of siloed products from dozens (or more) of different vendors, it isn’t surprising that chaos ensues. A CISO may often feel like an army general who commands a battlefield in the dark, trying to catch quick glimpses to see if his troops are heading in the right direction, and if the equipment is battle-ready. This “groping in the dark” is a handicap organizations can ill-afford in today’s tough battle against ever more sophisticated attack campaigns.
Before an organization can consider plans for advanced , orchestration and mitigation or remediation, it needs to first understand what it actually holds in its hand. Shining a light onto the security apparatus is the first step – providing transparency and answers to some very basic questions, including:
- How efficiently are the products in my security architecture doing the job they were bought to do, per the security risk?
- What is the real contribution of data collected from my data sources for my security posture?
- Are the security products and other data sources really meeting my business security compliance requirements (e.g., HIPPA, PCI DSS, etc.)?
- How accurate is each product or service?
- Can I break down my security apparatus and “see” each product’s and data source’s contribution, and criticality, for the organization in terms of the cyber-kill-chain stages?
- What would have happened if I had disabled a data source ?
Once we have the answers to these questions, we are much better equipped to plan the most efficient and effective security posture for the organization. The positive impact on ROI cannot be overstated. It is likely that every medium-large organization is paying for dozens of products and services that are redundant, outdated, or under-performing. Transparency and diagnostics can give clear answers, enabling the organization to streamline, prioritize and cut out the unnecessary fat.
Here are some feasible approaches that can bring high quality security posture assessment results:
- Security Analytics Systems – There are various security analytics solutions today that claim to be able to collect all security events from security tools and “connect the dots” in order to find out if a real attack campaign is on its way – separating noise from real effecting security events. If these systems could also provide us a break-down of “true” events vs. the noise per each security vendor, this would provide CISOs with the required visibility into data-sources effectiveness.
- Kill-chain Effectiveness (based on the MITRE framework: It is an industry fact that some tools are better at certain types of attack technciques and tactics and are dysfunctional in others, and this can actually change over time. Associating the security events each tool generates with the various tactics, techniques and attack stages can help CISOs understand where each data source can contribute to the organization, then identify gaps and prioritize the tools accordingly.
Transparency, diagnostics, and ongoing evaluation are basic tenants of so many of an organization’s activities today. Security Analytics lets us know exactly the performance of our online presence – who visited, where from and for how long. PPC advertising lets us pay for only those leads that reached our doorstep. CRM systems give us full visibility into our sales process, in real-time at any moment. But in the realm of security, we are still in the dark, paying for dozens of products, data, and services we no longer need, without the ability to measure performance and prioritize. It’s time we shine a light into our security systems, and bring the knowledge, and the control, back to organizations. Achieving this goal will mean a streamlined, more effective security apparatus, with vastly improved security ROI.
Contact us to learn more about empow's analytics and i-SIEM platforms.