If you have ever been involved in either a breach or an attack in your professional career this seems like a misnomer and something that, as the conspiracy theorists we all are, is simply not attainable. In the larger picture you are right, as the bad guys do something that we, as industry professionals, rarely do—they collaborate very well and share information. Now, let’s get to why you really want to read this article, what are the steps we can take to make our tools first become better connected, and evolve our security practices and tools from a reactive to a proactive state?
First, let’s ensure we level set; this methodology requires executive buy-in and investment in IT and IS departments. This will require collaboration with your business lines as well to ensure you are addressing the moneymakers for your enterprise/business. So, the first thing is learning from any issues or attacks, and adding this intelligence into our platforms to alert at proper thresholds. I am a big fan of using standard deviations which allow me to baseline traffic on platforms, like a SIEM (Security Information and Event Monitoring), based on a control set of data ranging from hours-to-months as needed. I would not recommend years, as this could take a while as well as the cycles that the device would need to take from normal processing. This gives organizations an early detection capability for network as well as device level events to ensure proper health or in early detection of a DDoS or outage.
Another point is, with the advent of machine learning, having security platforms that can leverage this technology allows teams to be smaller yet more effective in both detecting and responding to issues/incidents. Endpoint technologies that leverage this allow detections by checking the DNA of files, scripts and memory reads which have proven highly effective against newer attacks like Ransomware. Using these technologies for networks and SIEM also allow the multitude of false positives to be more quickly correlated and get to the meat of where those issues are. This often takes a human to conduct training, which does require time and at times, retraining. However, the end result is saving man hours and reducing your false positives.
"I am a big fan of using standard deviations which allow me to baseline traffic on platforms, like a SIEM, based on a control set of data ranging from hours-to-months as needed"
Now, connecting all this together is the last piece in that most modern technologies can also interconnect via RESTful API calls. While a SIEM can do this more effectively, REST API’s are allowing teams to better automate detections and responses when security events occur without the overhead of having a SIEM and the FTE’s needed for managing a SIEM tool. This works by intertwining detection tools on the network with endpoint or network policy enforcement tools to act upon the information from that detection. This workflow takes time without a SIEM but can be done. Having a SIEM does allow you to pivot through the detections and what it meant across all infrastructure components and then automate more intelligently and often times more effectively. In working out the above workflow, companies and enterprises can save monies and effectively connect their security tools and IT tools to provide their organizations a more effective security posture, and move from reactive to proactive security responses to advanced cyber-attacks.