Automate, Accelerate And Orchestrate The Threat Defense

defense

Gone are the days when the cyber thief and cyber-criminal was a slow breed and the speeds of the attacks were as manageable.  Now they are far more precise, far more nimble and yes, far more fast and devastating. The way cyber threat has been managed so far is definitely not working anymore.

The changing infrastructure of IT is creating several threat surfaces and threat vectors. Geographically dispersed user base with remote corporate and mobile connectivity is the need of the hour.  Couple that with the proliferation of handheld and mobile devices and “on demand” connectivity and computing on public machines.  New corporate practices, the “ bring your own device” (BYOD) practice, the growing menace of shadow IT, dark cloud and the challenges to cyber protection are easy to imagine.  The picture is really grim and getting complicated by each passing day.  Let’s look at some statistics

Technological advances are increasing the attack surfaces. By 2020, every single person will have 26 corresponding smart objects and enormous amount of data. About 65-85 % of all applications will be cloud delivered.  This will severely hamper the ability of the network to inspect the incoming and outgoing traffic.  The talent for cyber security is in short supply.  By mid-2015, there was a severe crunch of skilled professionals in cyber security in over 66% of the organizations surveyed by SANS.  Breaches are getting costlier.  

As per a study conducted by Ponemon in 2014, it cost about US $ 20,000 per day and about 30 days to plug the damages after a cyber-attack.  Where we used to take days, now we need to respond in minutes, if we want to reduce the impact.  Even the nauseatingly long dwell time of weeks and months is no longer a profitable or even tolerable proposition.

All the traditional counter cyber threats measures slow down and flabbergast the hardworking security teams are torn apart.   The conflicting and sometimes simultaneous demand on resources put by manual labor intensive operations where they have to look at different data sources at different levels like log level, network level, object level and endpoint level is acute. At the same time, the threat intelligence networks at different eco-system levels are also providing different types of information.  Finding out what will be the threat intelligence information set to focus on, is also a tall ask.  A new approach was really the need of the hour.

Under such circumstances manual or slow processes are all passé.  Enter the threat lifecycle based defense approach, which has the potential to take care of all these issues, and some more.  It has the capability to provide an integrated counter threat action that works on four prongs.  First, it halts the all too common threat vectors.  Secondly, it makes use of sophisticated intelligence and analytics tools to improve visibility.  This puts a check on low threshold maneuvering.  Thirdly, it offers the capability of a dynamic correction by increasing the number of triage and helps in zeroing down on the most useful response.  Lastly, it creates an integrated security system that is super prompt in applying insights, which are shared and implemented in almost real time.  It adapts to the threat scenario.

These systems usually provide a collaborative fabric based ecosystem that breaks down the siloes of the traditional legacy security architecture and creates an integrated system which is far better in all the key parameters like time to respond, time to protect and capacity. Under some use cases it has been claimed that time to respond has improved by over 140x, time to protect improved by over 200x and capacity improved by over 30x.

Just to understand better, let’s look at a hypothetical infection scenario. When we have the lifecycle-based defense in place and an infection (threat/malaware) arrives through a USB at the data exchange layer, the global threat defense is activated, file reputation is sensed and sandboxing is activated.  The moment it crosses the file reputation management, the security policy management starts working and starts directing security alerts based on the type and criticality of the threat.  

The enterprise security management software also gets activated and starts sending the critical information regarding the threat – context, vendor threat feeds & the indicators of compromise and vulnerability status.  This in turn switches on all the end point threat detection and response tools.  The network security software also comes alive.  All this happens at the data exchange layer itself in near real time.  What this essentially means is that all the security components work as a singular coherent unit at the data exchange layer – Identity management, Mail gateway, Vulnerability management, Mobile security, web gateway, app and change control, HIPS, network fire wall, you name it.

The threat lifecycle based approach has the potential to solve all the critical cyber security issues faced by businesses today.  They can look at more attacks simultaneously, they can respond much rapidly delivering automated detection and remediation.  They also put far lesser burden on resources.

[Disclaimer: The views expressed in this article are solely those of the authors and do not necessarily represent or reflect the views of Trivone Media Network's or that of CXOToday's.]