We are hosting a series of events around the U.S. called Integrated Technology Summits where we talk about the real-world struggles facing security leaders and how leveraging integrated security technologies yields practical solutions. We typically feature two or three of our technology vendors and discuss how these can be made to work better together, creating operational efficiencies and security effectiveness – saving time and money, while also helping to reduce risk.
The cohesive message we tell with our vendors is made possible using API and other integrations, which then allow us to do some really cool and exciting things with automation and orchestration. But before we get to that, it is important that we first understand why we want to integrate these solutions. After all, if we do not have a real need and are not solving a real problem for our organization, then this is merely an interesting exercise that may or may not actually help us reduce risk in the enterprise.
Many clients that we talk to have a visibility problem – put simply, they don’t know what they don’t know about what is happening in their environment. Many organizations have some level of visibility at the traditional perimeter thanks to firewalls or IDS, but often lack an appropriate level of fidelity at other critical junctures – at the endpoints, within the network perimeter, or into the cloud, just to name a few. In a world where the traditional network perimeter is eroding, these vantage points provide a wealth of information into assets, risks, and exposure.
Sometimes these blind spots are the result of a technology gap – the organization does not have the appropriate tools implemented to provide the level of granularity desired. In other cases, capable tools do exist in the environment, but the telemetry data that they are (or could be) collecting is not being shared with other solutions in the environment. These other solutions, such as a configuration management database or threat intelligence platform, are inadvertently rendered less-effective by virtue of having less information – knowledge is power.
Many organizations we talk to are not entirely comfortable with the idea of fully, or even partially, orchestrating security activities. They fear that something may go wrong without a human in the loop to provide a sanity check against automated actions, which could potentially disrupt business operations. Integrating technologies in the environment for the purposes of data sharing is a good way for organizations to begin exploring automation and orchestration. A sharing-only approach provides an initial value discussed above, lays the technical groundwork for additional, automated capabilities in the future, and provides an opportunity for organizations to self-evaluate whether their maturity and culture will allow more robust usage of these capabilities.
Sharing is Caring
At a recent Integrated Technology Summit in Dallas, Kudelski Security featured three of our technology partners to discuss automation and orchestration – McAfee, Aruba Networks and Illusive Networks. At first glance, these three vendors may seem to have little in common. But as we discussed with the security professionals in attendance, each has a vantage point (or perhaps multiple vantage points) and collects relevant information about the IT environment that could enhance the capability of the other tools, if only shared.
Fortunately, most vendors in today’s market embrace the heterogeneous best-of-breed ecosystem that defines many enterprises today. But, as we also discussed with the audience, platform-based security vendors leverage the capabilities of automation and orchestration, inherently, and also provide this for their customers to utilize outside of the platform. For example, although security tools can be integrated point-to-point, leveraging a common communications layer such as McAfee’s OpenDXL abstracts the exchange of information from the underlying application architecture and reduces the integration and maintenance complexity of McAfee and numerous third-party tools.
With the communication groundwork laid, organizations can begin the process of enabling data exchange. Aruba wireless access points can share telemetry data on connecting endpoints, including device information, location, and time. Illusive Networks can share high-fidelity alerts on advanced persistent threats and zero-days exploits it detects when a deployed deception is triggered. McAfee Advanced Threat Defense can share threat intelligence information from indicators of compromise (IoCs) identified through code analysis or malware sandboxing.
Beyond these use cases, the sharing possibilities of contextual data are numerous, especially as organizations consider integrating additional tools within the environment, such as directory services and other security analytics tools we may have deployed. These integrations can begin to address the blind spots they have in their environment and establish a path forward for additional integrations and orchestration opportunities to make sure our security tools can (you guessed it) work better together.
Be on the lookout for an Integrated Technology Summit soon in a city near you. Our next event will be later this fall in Austin, Texas. For a full list of Kudelski Security events, click here.
Latest posts by Bo Lane (see all)
- Security Automation: Lessons Learned from Discussions with Security Vendors - November 8, 2018
- Protecting a Perimeter-Less World: a Reference Architecture for Cloud Security - November 21, 2017
- API Security: Awareness in a Cloud-Connected World - April 25, 2017