Today, in the fifth post of this six-part series, we’re going to cover the fourth and final domain of our reference model for IT infrastructure security. Not only is this the last domain in the model, it is one of the most exciting.
As IT professionals, we are all being asked to do more with less. This is why we need security tools that give us more visibility and control. But what do those tools look like? Let’s take a peek.
Domain: Visibility & Control
If we were securing a castle, it might be good enough to go to a high tower to see the battlefield, and we might be able to use horns or smoke signals to coordinate our defense. In a modern organization, we need to do a little better than that. Real-time visibility providing contextual awareness and granular control of all our security tools is required to defend against today’s threats.
The categories in the visibility and control domain are:
automation and orchestration, security incident and event management (SIEM), user (and entity) behavior analytics (UBA/UEBA), device management, policy management, and threat intelligence.
Category: Automation and Orchestration
Automation and orchestration are the tools that make it easier to operate a secure infrastructure. These tools should work across the vendors in your environment and simplify the job of your security practitioners by reducing tedious and error prone manual tasks, reducing incident response times, and increasing operational efficiency and resiliency. This category is still emerging. This means that even more than the other categories, there is an option to build this functionality with open source tools and, more recently, to buy a commercial platform.
Category: SIEM
Security information and event management (SIEM) products and services combine security information management (SIM) and
security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware.
SIEM solutions collect and correlate a wide variety of information, including logs, alerts, and network data-flow characteristics, and present the data in human-readable formats that administrators use for a variety of reasons, such as application tuning or regulatory compliance. More and more, these tools are complemented with some form of automation platform to provide instructions to analysts for how to deal with alerts, or even act on them automatically!
Category: UBA / UEBA
User behavior analytics (UBA) solutions look at patterns in user behavior and then use algorithms or machine learning to detect anomalies to prevent insider threats like theft, fraud, or sabotage. User and entity behavior analytics (UEBA) tools expand that to look at the behavior of any entity with an IP address to more broadly encompass "malicious and abusive behavior that otherwise went unnoticed by existing
security monitoring systems, such as SIEM and DLP."
Category: Device Management
Device management is all about managing your security devices. These tools are often vendor-specific, and most attempt to display data in a single pane of glass using a central management system (CMS). Recently, many vendors have recognized the need for a single interface and have enabled APIs to accommodate third-party reporting. Going forward, these tools may be replaced or controlled by other, vendor-agnostic automation tools in a more mature security infrastructure.
Category: Policy Management
Policy management tools make it easier to maintain homogeneous security policies across a large number of devices. These tools were initially vendor-specific, but vendor-neutral policy managers are becoming more prolific. They give the ability to deploy a common policy across an organization, a group of devices, or to a single device. Additionally, Policy Management tools often give a user the ability to test/validate configurations before deploying them. Finally, Policy Management tools provide a mechanism to create configuration templates used for no-touch/zero-touch provisioning.
Category: Threat Intelligence
Threat intelligence can take many forms. The unifying purpose of them is to provide you, your security organization, and your other security tools information on external threats. Threat intelligence gathers knowledge of malware, zero-days, advanced persistent threats (APT), and other exploits so that you can block them before they affect your systems or data.
One More Thing
In the final post in this series we’ll look at the full model that has been described thus far and consider how you can put it to use to meet your individual security goals. Be sure to stick with me for the conclusion!
