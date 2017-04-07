Organizations are spending more on security than ever before. According to IDC, the global spend for cybersecurity last year alone was $73.7B and will grow to an astonishing $101B by 2020. To stay ahead of attackers, organizations have been investing in new products to modernize or enhance their security architectures. But despite this spend, high-profile attacks still happen.

What can organizations do to get more value from their security investments?

Visibility That Goes Wide and Deep

Security teams suffer from a lack of visibility into threat activity, despite the average enterprise having 70 different security point products. That problem becomes more acute as workloads move beyond on-premises networks into public and private clouds, and with the need to also secure industrial environments which are difficult to monitor.

These point products are often narrowly focused but very good at generating alarms and detections. Unfortunately, the number of alarms is staggering, data is siloed and, according to 70% of US and UK respondents in a recent Ponemon study, that data is often too complex to provide any actionable intelligence.

An unintended downside of this plethora of point products is that they are largely disconnected from each other. With each product having some sort of management console or interface, security analysts and threat hunters working in complicated, multi-product environments have to spend their limited, valuable time pulling together information piecemeal from different sources.

That’s a cumbersome process that introduces unnecessary inefficiencies.

While each product is important, the lack of integration, automation and correlation ultimately limits the true value of the product. Unifying the context from each point product so security teams could have an integrated platform for comprehensive visibility, automated detection and incident response is what’s needed.

To ensure security teams are getting the visibility they need, look for products with well-documented APIs that allow them to share information across disparate systems, enabling cross-platform correlation of data for greater context and accuracy.

Start with capturing the network in the form of packets (PCAPs) in full-fidelity, then incorporate context from the various point products in your existing security architecture, and apply advanced analysis techniques to get a 360-degree view into threat activity across all networks. Consider products that have a cloud-first architecture and that offer data retention for potentially unlimited periods of time, so security teams get a complete history of any threat activity.

Making Your Security Stack Sing

When threats are detected, security teams need to respond quickly to minimize any damage. Unfortunately, when dealing with a multi-vendor jumble of disconnected point products, what security teams get are an overwhelming tsunami of alarms without any obvious way to prioritize their investigative efforts. The process isn’t easy. It requires lots of manual and often disconnected activities to arrive at a resolution.

Security orchestration is an excellent way to reduce the manual and mundane overhead and also remove the opportunities to introduce errors that are typical with manual processes. Orchestration uses digital playbooks of rules, conditions, and triggers to perform tasks automatically across the organization to save time and costs.

For example, when a security event is detected, orchestration can take automatic actions like opening a ticket to notify the appropriate teams, update a dynamic block list on a firewall or network device or remediate an affected endpoint. Soon what was once a haphazard collection of point products becomes a harmonious solution, translating visibility into action without further burdening busy security teams.

People Are Investments Too

Investing in security isn’t just about technology, it’s also about finding and retaining the right talent. Security analysts are some of the hardest people to hire and retain. Their job responsibilities are made more difficult by point products that aren’t integrated, which can result in above-average burnout. Naturally, once they’re onboarded, you want to keep them engaged and satisfied with their work, so they don’t move on to other opportunities.

Legacy security products make forensic analysis and threat hunting unnecessarily laborious and repetitive and overwhelm analysts with data and unprioritized alarms. In fact, over 30 percent of IT professionals admit to sometimes ignoring security alerts because of high volumes of false positives. It’s crucial that the security products you deploy help ease the stress analysts face daily, not add to it.

The pool of security talent needed to deploy and manage these investments is shallow, which only makes the situation more dire. Investing today in solutions that consolidate the functions of multiple point products, and that visualize information in compelling ways, will ensure increased job satisfaction and engagement.

With a modern approach to security that provides comprehensive visibility, automated threat detections and incident response security teams will be unshackled from the monotony and onslaught of alarm fatigue. They will be able to dedicate more time to proactively hunting for threats in their networks as opposed to just reactively responding to unprioritized alarms.

With that time, they can focus on being proactive threat hunters, not just defensive threat responders. This type of work is more engaging and more rewarding for the entire security team, and it provides on-the-job experiences they can use to hone their skills and to learn new ones that help keep your organization safer from tomorrow’s targeted and advanced attacks.