Removing silos, an easy technical fix?
Single panes of glass and silver bullets have proven to be more vendor fantasy than security reality, however, done pragmatically, security consolidation has clear benefits. Removing siloed controls reduces outlay on tools, reduces management complexity and can enhance threat detection.
So what factors should be taken into consideration when undertaking such an initiative? This was the topic under consideration when security leaders gathered in Manchester recently.
Centralised datasets
Breaking down data silos provides benefits for security teams, it was agreed.
A standardised interpretation of threat data helps address a number of problems driven by an attack surface whose growth often outpaces controls. By removing blindspots caused by technology fragmentation, lateral movement becomes harder and dwell time reduces.
Removing the walls between datasets also brings valuable context. Traditionally, threat data has been one dimensional, answering only the ‘what’ question. However, with more context, the ‘why’ and ‘how’ of adversarial activity becomes clearer by uncovering attack paths and dependencies.
This allows security teams to make better decisions by providing more relevant information for triage and incident response. It also helps them couch risk in terms understood by senior stakeholders by outlining risks to processes central to the business.
Those gathered were keen, however, to point out that in reality such initiatives often still require compromises. The realities of technology and resources make an exhaustive view of data a utopian ideal, rather than reality. For this reason, security leaders need to factor in a wide set of variables in order to make strategic risk decisions.
People and process
A debate was had about how security leaders could best equip teams and individuals with the skills necessary to play the most effective role once silos had been consolidated.
The underlying concern was that, with the deployment of new tools and processes, human capabilities will take some time to build. As one put it ‘if you have a major incident and the team has only just completed their training, how proficient are they going to be? Ropey at best.’
Opinions varied on whether it was better to reshape the capabilities of experienced team members who know the existing environment or if fresher, newer, talent would get up to speed faster. In reality, however, it was agreed that the ideal situation is to have an approach which enables anyone to upskill rapidly regardless of technology. This way, organisations have access to a wider talent pool, benefit from skills diversity and are insulated from the high turnover so common in the modern SOC.
Procedurally, it was suggested that technology agnostic play-books stop security teams suffering such ‘trial by fire’ in a newly consolidated environment. To enhance learning opportunities, feedback loops should also be built into incident response teams to allow for a continual flow of TTP back into security operations.
Due diligence
Given the reliance they will have on silo consolidating controls, security leaders agreed that any ‘best of breed’ tag needs to be subject to scrutiny prior to purchase.
Head-to-head proof of concept deployments were seen as an important way of achieving this. Not only will this allow security teams to compare factors such as false positive and negative rates, but it will help understand how well it meshes with people and processes. For example, how much human management is required and whether the internal capabilities exist to do so.
In addition, it was highlighted, CISOs need to be comfortable taking on the security and operational risks associated with relying on a single vendor. It is not unknown for such tools to be compromised or fall over themselves, for example.
Unify the tools, unify the metrics.
Consolidating the data and tooling that powers numerous security actions provides an opportunity to deliver better metrics to the business. However, it was agreed, the opportunity does not lie in providing more data, but more relevant data.
Senior stakeholders only want security metrics that resonate with their areas of responsibility. IT teams, for example, don’t want a database of vulnerabilities. Rather, they want to know how many assets linked to business critical systems are unpatched and for how long. Similarly, board members, as one attendee put it, ‘just want to know if they have been breached and how much it would cost.’ With any security consolidation programme, getting this balance of narrative and data right could prove to be a watershed moment for how security leaders are perceived at a senior level.
It was concluded that the benefits of removing silos have been clear for years, yet an inability to navigate the complex surrounding waters holds many back. Most security leaders believe no magic bullet exists, even now. However, with strategic planning cognizant of the fact it takes more than just technology to break down silos, they can put their organisations on a path to enjoying some of the benefits it brings.