If you can’t see it, you aren’t seeing it.
As new security breaches come to light just about every day, nothing could be more obvious to even the casual observer…the security industry has failed you. Traditional approaches to security are utterly obsolete in relation to today’s complex architectures and modern threats. Our rapidly expanding attack surface, thanks to the digitization of business and adoption of Cloud and mobile technologies, combined with a threat environment that is increasingly complex and sophisticated, necessitates a new approach to security.
Legacy strategies and technologies have defended organizations from cyber-attack by establishing a digital perimeter around enterprise networks – a supposed barrier that was tightly monitored and through which access was defined and controls applied. While viewpoints vary as to how effective these barriers actually were, limiting the number of access points typically enabled a higher degree of scrutiny and perhaps confidence in the security of the network and its contents.
But, even that facade of security has been perforated by mobile technologies, Cloud services, and new business practices. The ever expanding number of access points and methods through which that digital perimeter might stretch or contort now out-strip even advanced concepts of perimeter defense. Only once you acknowledge that applying controls to and watching the perimeter is a very small subset of what is necessary, can you begin to take meaningful steps forward.
While adopting a new approach to security – what we call Intelligence Driven Security – will require many steps forward, one of the first steps is expanding our visibility. Now, when you say visibility to many security practitioners, they immediately start talking about the traditional visibility offered by firewalls and other logs, router telemetry, antivirus information and perhaps IDS alerts. When the SIEM industry began, it promised better visibility, investigative power, and compliance efficiency, by bringing this information together. While attractive on the surface, the reality has left way too much to be desired.
Intelligence Driven Security requires a fundamentally different approach to visibility. Technologies exist to record every single packet on the network and more importantly understand and interpret them as packets, sessions, and applications. To find out what’s really occurring in your environment, you must augment the observations your security infrastructure is or isn’t making already with this deep visibility into the reality of how things actually are. This deeper level of visibility will help against insertion, replay, fragmentation and application layer methods of bypassing the existing security enterprise. Combine this deep visibility with insight into what might be occurring at the endpoint and it’s like turning the light on in room that had been pitch black or at best, dimly lit.
Look at the news on a daily basis and see the organizations getting compromised, many with presumably strong security programs. If security programs don’t expand their visibility and evolve to match the threats of today and tomorrow, however, it’s easy to see that these breaches are just the beginning.
The key to cyber security’s migration to Intelligence Driven Security is visibility, analysis, and action. This article is Part 1 of a 3-Part series which will discuss each migration.