Who's Down with PPT?
Building upon last month’s call for integration of point products for a more effective security posture, I want to dive into more detail on the topic and describe a base level solution given common restrictions for the mid-market.
To review, in order to effectively prevent threats, quickly detect unprevented threats, and recover from the aftermath one needs a combination of skilled people, executing always-improving processes, with advanced technologies. I refer to this as PPT, not death by slideshow, but People, Process, and Technology. Though basic sounding, it is much easier said than done. Skilled people are in high demand, effective processes require experienced people with the right tools (e.g. SIEM and SOAR) which are expensive and useless without the right people and good processes.
To begin to overcome those restrictions, companies must integrate existing product types to ease the demands on lean security staff. Even smaller organizations have basic preventative security products in place. They have endpoint protection products (EPP), perimeter firewalls, user directory servers, ticketing systems, and network devices connecting them to local and remote resources. Now imagine a scenario in which each of these product types, already invested in and communicate with each other to provide context of all that is happening within each of its’ purview. For example, a distribution switch identifies a new traffic flow from a workstation to a server and notifies the firewall. This triggers an action to collect the traffic to and from each endpoint with the Internet before and after the alert, followed by an automated inquiry and collection of the endpoint protection logs on each device. Directory services are queried to determine who is or has been logged into the workstation. The collection and correlation of endpoint, network, and firewall logs determine there are high probability of a compromised workstation. The endpoint software is triggered to go into lockdown mode, the access switch in which the affected device is connected changes port state to a quarantined network. The firewall and network review historic traffic to determine if the same threat is elsewhere. Directory services are queried to determine if the user account is being used elsewhere. A ticket is automatically generated and put into the queue of the applicable group including the overworked, many-hat wearing security analyst/network engineer/ system administrator/ voice engineer. But now, she/he has all the context behind the threat in the ticket, the threat has been isolated, and a determination can be made on a course of action to quickly remediate the issue. Because of integration, this has all happened in minutes.
Utopia? SIEM? No, with the right point products, basic(ish).
Companies invest in firewalls, endpoint protection, directory services, ticketing systems, networking gear, and the people to maintain them. Integration of the right point products with standardization of processes will greatly aid overcoming the restrictions of a lean staff and undetected threats remaining in an environment for weeks or months. When investing in security technology make sure to pick the right combination of products, i.e. those with the capability of integrating with one another. The base level solution promised is this; when it is time to renew your security products, build toward an integrated solution.
Get advanced malware protection for the endpoint instead of traditional EPP. This means EDR (Endpoint Detection and Response) and UBA (User Behavior Analytics) capability.
Upgrade to a next-generation firewall that includes TI (threat intelligence), IDS/IPS, content filtering.
Turn your network into a threat detection and prevention tool to monitor east-west traffic and provide analytics.
On each of these basic recommendations, take the additional step and ask, “Can this product integrate with my other point products?” “Can my new EDR communicate with my firewall?” “Can my switch infrastructure monitor east-west traffic for suspicious traffic?” Upgrading to these advanced technologies on basic product types in which most already invest, along with adding the integration capability, increases an organizations security PPT without the burden of taking on a costly SIEM or SOAR solutions. This is accomplished by:
Adding advance detection capabilities into prevention products
Automating processes by integrating data enrichment and actions between platforms
Thus, reducing the strain on security staff by performing mundane tasks automatically and centralizing security context when manual intervention is necessary
Access to the most advanced tools and skilled resources tied together with optimized processes is not practical for many mid-market organizations. However, by upgrading and integrating traditional prevention product types, organizations can greatly increase their threat management capabilities without breaking the bank on staff and technology.
Reading time: 2 1/2 minutes