The last three months have set unprecedented challenges for businesses across all industries — and now vendor collaboration in the cyber security is absolutely essential.
We have seen a remarkable and rapid shift in the way companies operate as record numbers have implemented a remote workforce to keep their operations going and their teams collaborating.
Indeed, ONS data from May estimates that roughly half of UK workers now work from home, compared to just 5.1% in 2019.
Cyber criminals have been quick to take advantage of a prolonged period where organisations have had to sustain a remote workforce. Many cyber criminals are specifically seeking to exploit VPNs and other exposed aspects of remote working, along with adopting Covid-19 into their social engineering tactics. HMRC for example identified more than 300 scam sites involving the pandemic that had appeared since March.
The increased threat profile and newly exposed attack surface means that while their operations may be scattered, businesses need a security capability that is cohesive, focused and agile. The whole gamut of security technologies from end point protection, perimeter defences and privilege access management to cloud and network monitoring must operate in a low friction integrated manner within the security processes of the teams that operate them.
Data protection in the time of Covid-19: an unprecedented challenge
Integration is security operations’ lubrication
As the cyber security market continues to grow and diversify, organisations have benefited from being able to choose from an increasingly large array of services and solutions to address their unique security needs. Most security architects have constructed operations that include multiple vendor’s tools that cater to specific needs such as email security, firewalls, end point, SIEM and threat detection and response.
While there are vendors that offer an extensive suite of security products under a single brand, this can mean customers end up compromising on capabilities. Using services and tools from multiple vendors, on the other hand, means a company can benefit from their specific expertise and pick the “best of breed” for each capability gap they need to address.
However, a multi-vendor approach can come at the expense of overall cohesion. Products from different vendors do not necessarily work well together, resulting in the security team having to manage multiple systems that do not share information with each other and cannot be fully automated into a single system. With hundreds or even thousands of alerts coming through every day, having to manually crosscheck different solutions not only wastes manpower as teams act as “human middleware” but can also create operational gaps that allow threats to go undetected.
Responsibility for overcoming these issues falls not with individual companies, but with the security industry as a whole. Vendors must create solutions that can work with others and facilitate increasing automated workflows, freeing up valuable human resources for high value artisan tasks that allows them to keep up with modern threats and incident response.
A guide to safely working from home in period of Covid-19 uncertainty
Playing nicely together creates security value
Delivering collaborative security offerings requires solutions to be aligned on both a technical and a strategic level. When it comes to the front-end technical side of things, security solutions will need an application programming interface (API) that allows different tools to communicate and share information effectively. APIs alone though are not a complete solution as they are just interfaces still
requiring connections to be built and interactions orchestrated. The next step is using those APIs to connect interactions and features shared between differing tools, often via embedded apps and widgets.
A strategic alliance can deliver powerful benefits to the vendors involved as well as helping their customers to improve their security posture. We have worked with CrowdStrike, Cybereason, Microsoft and others to integrate our Network Detection and Response (NDR) solution Cognito to work in harmony with their Endpoint Detection and Response (EDR) solutions. This has enabled security teams to work together to improve visibility and insight into the threats they are facing, and reduce their incident response time.
When CISOs deploy different solutions that are designed to work smoothly together, they are much better equipped to join the dots between different sources and respond accordingly. This is ideal for making approaches such as the “SOC visibility triad” model, which combines SIEM, NDR and EDR to work as efficiently as possible. For example, the SOC visibility triad could be applied across on premise, cloud and SaaS while also incorporating attacker behaviour modelling.
Ultimately by achieving excellent SOC visibility you can significantly reduce the risk of a threat actor acting undetected for extended periods inside your organisation. Early detection and response can make the difference between a contained incident or a damaging breach.
While vendor integration has continued to improve, we need to see a more concerted effort by the security industry to form strategic partnerships and create solutions that can smoothly work together to reduce technical complexity and risk, and create new value in how security operations are performed.
With organisations set to face continued challenges in securing their expanded remote operations, integrated tools and processes will help security operation teams to cover more ground and be more effective in mitigating the threats against them.