Being a security analyst is hard work. A lack of situational awareness, the spread of sophisticated multi-stage attacks, and a dwindling pool of experienced staff are only making matters worse. These constraints result in overloaded work queues, higher than average levels of job stress, and the feeling that there’s never enough time in the day to make a positive impact.

What busy teams need is a modern, platform approach to enterprise security that frees up resources and makes them more effective. Evaluating new or replacement security products shouldn’t be a chore though. Take the pain out of the process by keeping in mind these critical attributes that help ensure whatever you deploy can set you on the path to enlightened security.

Security Products Should Be Comprehensive

Nobody likes the idea of adding point products to an already bloated security stack. Doing so also creates silos of information, robbing analysts of the comprehensive view they’d have if they worked from one console where all that data was correlated. A full picture of what’s happening on the network, at the endpoint, and with the user and device is the kind of contextual information that correlation could provide.

Therefore, the security products you deploy should provide a full understanding of activity on any network segment, including those not fully owned or controlled by the organization, like in the Cloud. They should also provide a way to correlate net flow, full packet information, and logs inside of a comprehensive platform.

Security Products Should Be Fully Connected

In an ideal world, analysts would go to a single console that handles every task they need to do in a day. The reality, though, is that your security program is powered by many disparate products and management consoles. Few of these are probably extensible, so they’re not going to play well with others.

On some level, the products you deploy in your security infrastructure should connect with others. Red flags that you’re not looking at the right products include lack of APIs, or the APIs are being promised to you “in a future release.” Also beware of products only designed to connect with products from the same manufacturer, or if the manufacturer makes you subscribe to its proprietary threat intelligence instead of using the “free” intelligence you’ve always used.

Security Products Should Call the Cloud Home

Security professionals are waking up to the idea that the Cloud can give them unconstrained processing power and unlimited forensic exploration. Legacy security vendors have caught on, and have started “cloud washing” their products. The problem with that is security products that weren’t built in the Cloud and for the Cloud are difficult — but not impossible — to find, but this approach to enterprise security should be prioritized.

Steer away from traditional security appliance vendors who insist you can just use their products in a Cloud environment. While they might technically work in a Cloud infrastructure, the truth is that virtual appliances of original hardware specs weren’t built to be delivered from or in the Cloud, and are usually light on features compared to those that were.

Also, these cloud-washed security products likely won’t help you improve automation of your existing threat detection capabilities. That’s because these products can’t apply a data science approach to detection because they’re not capable of analyzing billions of attributes as can be done in the Cloud.

Security Products Should Analyze Continuously

The saying goes that hindsight is 20/20, but hindsight is a critical capability for security teams. Gartner recently said “adversary ‘dwell time’ (the time a person or group are inside an environment undetected) is still a serious problem today. Organizations are still taking a long time to find out that they have been breached.”

Finding these sophisticated security threats in real-time is hard, but not impossible. An approach to security that uses the latest updated threat intelligence and replays historical network traffic and packet data to discover threats that were previously missed is what’s needed.

If what you want is to detect and prevent security threats in real-time, the product you deploy should also take a “retrospective” approach to continuous analysis that introduces the concept of time into the security paradigm. This approach helps shorten adversary dwell time by using what you discover in the past to inform predictive discovery of security threats using this historical context and knowledge.

Security Products Should Provide Full Coverage

Your network assets aren’t located in a single datacenter anymore, so why would you consider security products that can’t go where you need them to go? Security should be a flexible utility. You could send Cloud traffic through your legacy security appliances but that requires that they were architected into the Cloud from the start.

Whether they’re already there or not, it’s important to make sure products you deploy can extend the power of security quickly and easily to the Cloud. Also, be sure to retain relevant contextual information for as long as possible to avoid having a gap in the forensic evidence you might need later. Those investigations could help determine whether a new zero-day had impacted the business in the past as soon as news of it breaks.

Unless something changes dramatically within an organization’s security infrastructure, team members will continue to be stretched thin, and their jobs will continue becoming more difficult. Considering the increasing proliferation of sophisticated attacks coupled with a woeful lack of situational awareness, security teams should consider these tips when evaluating new security products and strategies.