Cybersecurity strategies have long relied on a multifaceted approach. Enterprises deploy a number of specialized components, targeting particular vulnerabilities, in the hope that they’ll collectively keep the operation safe. This strategy has worked to an extent, helping organizations protect themselves against many malware threats and network exploits. But ultimately, cyberattackers still make it through enterprise defenses. In fact, Verizon’s 2015 Data Breach Investigations Report states that organizations experienced nearly 80,000 security incidents last year and more than 2,100 confirmed data breaches.
Cyberattackers continue to carry out successful attacks because they find ways to elude traditional defenses. “Today’s threats are increasingly designed to stealthily infiltrate an organization and jump from one host to another to reach an ultimate target, and exfiltrate sensitive data to an external location,” says Karen Scarfone, principal consultant at Scarfone Cybersecurity.
For cybersecurity professionals, it has become increasingly difficult to prevent attacks. Many organizations are now structuring their defenses not only to prevent attacks, but also to detect them. With this approach, a compromise in progress can be stopped before a major data breach occurs, Scarfone adds.
To detect stealthy attacks and quickly remediate the situation, better tools are required for orchestrating separate security solutions into a well-coordinated infrastructure, security experts say. Vendors have already taken some steps in this direction. For example, security information and event management (SIEM) systems aggregate log data from endpoint and firewall systems. But SIEM solutions can overload security managers with a deluge of data, making it difficult to prioritize events and decide how to respond to the biggest threats.
Now, new integrated solutions coming to the security market are designed to change that. “Identifying attacks and compromises can be accomplished more effectively and efficiently if security controls work together instead of independently,” Scarfone explains. “This is where integrated security solutions become so valuable.”
Coordinating for Greater Protection
Security component coordination offers several benefits. For example, endpoint security tools can share information on all detected threats, allowing a firewall to instantly isolate these threats and protect the rest of the network. Conversely, when a firewall detects anomalous traffic, it can isolate any breached endpoints and trigger appropriate action.
However, if an endpoint and firewall operate in isolation, they cannot properly respond to this kind of compromise in a timely manner. When these two security pieces work together on even the smallest network traffic anomalies, they help organizations to better protect their overall environment.
Scarfone says that when organizations must manage and monitor many security products that aren’t designed to work together, they typically incur higher expenses than with an integrated solution. This includes increased costs for hardware and software, initial and ongoing labor, and the security analysis overhead that slows operations, she says.
Reduced overhead can be another plus for organizations, helping relieve already overstretched IT staff from addressing small (but potentially damaging) security events that pull them away from more strategic tasks. Automation and real-time security insight can handle this remediation, freeing IT staff to focus more on big-picture initiatives.
Numerous Ways to Construct a Unified Defense
Orchestration products come in a variety of forms. Unified threat management (UTM) solutions typically integrate network firewalls, network intrusion prevention systems (IPSs), antimalware technologies, application security controls (such as web and email content filtering and application whitelisting), network-based data loss prevention (DLP) technologies and virtual private networking (VPN). UTMs typically do not include SIEM, but they can provide logs in near-real-time to an enterprise SIEM, Scarfone says.
Endpoint protection platform (EPP) solutions offer several layers similar to UTM. But while UTM tools are network-based, EPP solutions are endpoint-based. Typical EPP layers include antimalware, host-based firewalls, host-based IPSs, endpoint DLP, application whitelisting, removable media and device control, and endpoint storage encryption. EPP solutions can provide data from endpoints to a centralized SIEM solution, often through a SIEM-provided agent.
Meanwhile, endpoint detection and response (EDR) systems replace signature-based antivirus software with continuous monitoring to quickly identify ongoing attacks. For example, Intel Security’s McAfee Active Response offers a central console for managing continuous detection and response capabilities, as well as other features within a portfolio, such as endpoint antimalware defenses and data encryption. “Centralization is key for managing policies and acting quickly, such as when a breach is identified that could potentially attack scores of endpoints and servers,” says Ed Metcalf, director of product and solution marketing at Intel Security.
Part of Intel Security’s integrated security architecture, Active Response can analyze executables and running files, as well as code that may be lying dormant or may have been deleted by hackers attempting to cover their tracks. The technology can search for files, network flow, registry and process mapping. IT administrators manage the solution using the central McAfee ePolicy Orchestrator console.
Another option is Sophos Heartbeat, which enables endpoints and next-generation firewalls to communicate at 15-second intervals to share status information. For example, an endpoint may send MAC and IP addresses, information about who’s using it, the process the device is running and the state of its health. “We can use that information collectively by the two products to provide a level of detail we wouldn’t otherwise see,” says Dan Schiappa, senior vice president and general manager of the Sophos Enduser Security Group.
If an anomaly on an endpoint causes a change in status, the solution directs the network to automatically isolate the affected machine. Administrators can still access the device to conduct forensics. “We also have advanced-persistent-threat protection for the network to decipher problems, such as unusual behavior on the endpoint,” Schiappa says. “In the past, the firewall may only see an IP or MAC address, so administrators would have to go through logs to determine what machine was actually attached to an address when an incident occurred. They would then have to go to that machine to find out exactly what happened. Now, because the system is sharing the actual process information that’s generating the traffic, we know exactly which process has been compromised and have the ability to do a deeper analysis directly on the endpoint. This reduces the time needed for forensics and remediation.”
Later this year, Sophos plans to introduce a new component for synchronized security — the option to encrypt all important documents by default, he says.
Another integrated solution, Cisco Advanced Malware Protection, lets organizations correlate data across their full spectrum of security capabilities. This includes information from Cisco IPSs, firewalls, web and email gateways, and its endpoint solution. “If you correlate across all those little tiny actions, you can start to see patterns much earlier so you can respond more effectively,” says Dave Stuart, senior director of marketing and network security for Cisco’s Security Business Unit.
This capability has had a positive impact on Cisco’s internal operations. Stuart says the median amount of time to detect a breach within Cisco’s itself is now 17.5 hours, significantly less than the average of nearly 200 days reported by respondents to the company’s annual security survey.
Factors to Consider
With a range of choices on the market, how can technology decision-makers get the integrated tools they need? Experts advise enterprises to focus on four areas.
- Thoroughly investigate integration claims. “The most important thing to evaluate is how well integrated the solution’s components are,” says Scarfone. “Some integrated solutions were created by taking several independent components and putting them together loosely under a single name. These components do not truly work together. For example, they may not share information with each other.”
Metcalf concurs. “If I were a CISO, I would definitely want proof points — customer case studies and references from companies in my vertical,” he says. “I’d want to know if they successfully got their endpoints talking to their gateways and when they saw a threat at the gateway, they could immediately stop it from hitting the endpoint, or vice versa.”
- Evaluate the impact on performance. Some integrated security solutions collect data using software agents, which can impair the performance of production systems. “Many IT organizations worry about deploying more and more agents that use up CPU cycles,” Metcalf says.
Customer references and internal pilot projects will help organizations validate performance data provided by vendors.
- Weigh the pros and cons of single vendor versus point solutions. By not choosing an integrated suite of products from a single vendor, security managers can choose the best product for each infrastructure layer. With an integrated solution, an organization has to compromise by choosing the product that has the best combination of layers, even though some layers may be weaker than desired, Scarfone notes.
The tradeoff, however, is the promise that a common portfolio of products will easily share threat information that could ultimately make the enterprise more secure.
- Decide if integration really necessary. After considering all of these factors, some organizations may decide that an integrated solution would be overkill for their environments, particularly those at low risk of compromise. “For example, there may be components of the solution that are not necessary for a particular environment, or that are already addressed by other security solutions,” Scarfone says. “In these cases, an integrated solution may not be fully utilized, which could mean that it is duplicating effort and wasting resources, or that some components are unused, which is a waste of money in software licensing.”
There’s strength in numbers when it comes to enterprise security. Organizations need a full complement of defenses to block today’s varied threats. But the full potential of these solutions can’t be reached unless they share information and present a united front against attackers.
To learn more about how CDW can help orchestrate an integrated IT solution for your organizations, visit CDW.com/security.