There is no argument against the fact that security is a core and necessary function for IT in connected businesses. However, what is debatable is the means to go about it. Granted, some business and business verticals have specialized compliance requirements, forcing them to operate (or not operate) in specific ways. I have been in a good number of businesses in different verticals in my career and it surprises me how many of them thought they were very unique in their security challenges when really; they were all very similar with only a few variations.
Much of my career was spent going into organizations to revive struggling security programs. One of the most significant issues security faces is not the collection of information, but the ability to actually use it and thus leverage it to its fullest for visibility, control and orchestration. In EMA’s “Data-Driven Security Reloaded (DDSR)” report1, 70 percent of organizations said they would collect more data, if they could use it. The problem is, they didn’t feel they had the ability to use it.
Part of the problem may be attributable to staffing shortages but most of the issue is caused by either politics or tools. On the political front, data ownership often comes into play as a gating factor for organizations (or individuals) wishing to maintain a fiefdom or some form of control. Sadly, this shortsightedness is more common in larger organizations where data sharing is needed most due to the diversity and scope of the IT attack surface. Some of this can be solved through improving personal relationships between managers while some will be improved by using a “help me, help you” approach, showing the holdout manager what data sharing can do for him or her. The final approach is engaging upper management to mediate showing them how sharing the data is better for the business overall.
Security tools often function in silos searching for and/or solving very specific problems. Though they generally collect the data and address their specific problem well, they have not always provided a means for other tools to access that data or produce it in a package that can be easily digestible by other tools. Some vendors try to address this by creating “security suites” of tools that address multiple issues and combine management and some data into a single interface and reporting structure, but these vary in quality. Some tool segments were created to address this specific issue. Security Information and Event Management (SIEM) solutions were built because they create a central security data repository and a means of correlating data. The problem is that only about 45 percent to 48 percent of organizations have a SIEM.1 They are not cheap and most get more expensive as you load more data. They can also be expensive to operate for storage and may need at least one dedicated person to operate them. Security analytics solutions that provide user behavior analytics or anomaly detection were also created to provide better cross-data silo visibility. Though they can be very effective, they can also take months to years to gather enough information to provide value. What needs to be pushed is the integration capabilities in the tools so they can share data in a common format, or at least through a common method so greater context and visibility is available within any tool context. 31 percent of organizations said integration with network security was the most important aspect of their security program2. In the last few years, vendors responded to that pressure by increasing their partnership programs and the APIs associated with those partnerships. When you evaluate a product or solution, be sure to inquire about its data sharing partners and capabilities and test those claims heavily.
Regardless of the cause, we must work tirelessly to get the data out of the silos so it can be freely shared. Only through these efforts can we create the context we so desperately need to see the “low and slow” or otherwise stealthy individual attacks and campaigns being waged to infiltrate our systems and exfiltrate our data.