Defending our Digital Homeland: Preventive Control Is Only The Beginning

Sep 27, 2018 | by Karl Klaessig

 “We shall defend our island, whatever the cost may be, we shall fight on the beaches, we shall fight on the landing grounds, we shall fight in the fields and in the streets, we shall fight in the hills; we shall never surrender.”    - Sir Winston Churchill, June 1940

Winston Churchill understood that Threat Defense is an expansive and never ending battle.  As enterprises struggle to defend their “homeland” from insiders and creative, well-equipped cyber criminals, it can feel like a losing battle to the “Generals” – the C-Suite - and the “soldiers” – the security analysts– fighting in the trenches. 

Yet, we must keep fighting. The key is to realize there is no single battlefield, nor a single defense mechanism to protect our enterprises.  Traditional perimeter controls alone are not effective, especially now that our digital assets are virtual and mobile. A more comprehensive and enterprise-wide defensive strategy is the solution.

“. . . You ask, what is our policy? I say it is to wage war by land, sea, and air.”
We can easily translate Churchill’s policy into modern cyber warfare. “By land” equates to Logs – traditional threat monitoring and compliance, and the initial window into threats and anomalies. Your analysts must be able to collect over a wide range of protocols, and ingests logs from hundreds of event source types, including a myriad of industry-leading network and security devices, popular applications and operating systems. This window into risks and threats, which an evolved Security Information and Event Management (SIEM) platform provides, is what you need to facilitate administration and analysis of data across distributed and virtual environments to achieve rapid detection, investigation, reporting and management of security data.

“By sea” is the Network – the large volume of data we transmit, share and collaborate around constantly traverses enterprise networks. Security teams need to detect and understand the full scope of an attack to effectively respond. An evolved SIEM can analyze network data and user behavior across an organization, detecting known and unknown threats, and transforming disparate data into actionable information.

“By air” is Endpoint – the new virtual environment of servers in the cloud, and employees virtually working everywhere from both personal and work devices. An evolved SIEM leverages endpoint detection and response (EDR) solutions to provide visibility at the user and kernel levels, to flag anomalous activity, drive machine/endpoint suspect scores, and block/quarantine malicious processes. In this way, you gain full visibility across your infrastructure – including cloud, remote devices and virtual environments.

The question then becomes – “Do I need to deploy a million defensive weapons to defend my digital homeland?”  The answer is no – in fact, that can be a weakness.  As you introduce more tools, workflows become more complex, training becomes a scheduling nightmare, and collaboration across already stretched resources becomes even harder. 

Just as unified threat management (UTM) has become a converged platform of point security products providing everything from firewalls and intrusion prevention systems to virtual private networks and secure Web gateways, the Threat Defense market is converging around the evolved SIEM to meet the changing needs of customers.

SIEM products leverage rich data capabilities. Sophisticated investigation and threat detection capabilities are augmented with user and entity behavior analytics (UEBA) and orchestration and automation solutions resulting in best-practice workflows and playbooks. With our homeland defense analogy, the evolved SIEM provides the complete range of defense capabilities your organization needs – from the visibility and command and control needed by the generals; to the incident management and response capabilities essential to your field commanders; to the detection and investigation tools needed by the soldiers fighting on the front line.

“. . .You ask, what is our aim? I can answer in one word. It is victory. Victory at all costs – Victory in spite of all terrors – Victory, however long and hard the road may be, for without victory there is no survival.”
As in Churchill’s time, there are no quick or permanent wins. In geopolitics or cybersecurity, the winning strategy is to prepare and continuously perfect your defenses. Today the goal is to establish an Intelligent SOC with true visibility across an organization’s entire IT infrastructure -- from the endpoint to the cloud, and to virtual, hybrid, and on-premises computing environments.

Organizations continue to experience a rapidly accelerating threat environment, and they need tools and services that can keep up with the changes. An evolved SIEM is designed to offer the maximum amount of visibility, with automated analysis and prioritization, and in context of the real business risk of a threat. In this way, your analysts can be sure they are seeing, and responding to, the threats that truly matter to their organization.

# # #

For more information on the value of an evolved SIEM, visit RSA.com and check out our latest eBook – 5 Tools to Boost Your Security Team’s Impact.

Author: Karl Klaessig

Category: RSA Fundamentals, Blog Post

Keywords: Cybersecurity, Data Security, Evolved SIEM, Log Management, SIEM, Threat Detection, UEBA