• United States



Vice President, Product Management

Building a Threat Defense Machine in the Cloud

Aug 18, 20177 mins

If keeping your organization safe from cyber threats has become a dysfunctional mess, you’re not alone. Despite hundreds of security products on the market today that claim they can help make security teams more efficient, analysts are still under tremendous pressure to work harder and faster to keep up.

Too many interfaces, too many alerts, and way too little help – that’s the unfortunate situation many security teams face. The situation is further exacerbated by enterprise migrations to the Cloud that are hampered by ineffective legacy security products. These products have enough trouble providing visibility and threat detections in on-premises networks, but in hybrid environments they become even more challenged

What if through the marriage of technology and talent the enterprise could defend itself better against these threats? With a finely-tuned threat defense machine at their fingertips, analysts could more effectively investigate and resolve incidents since they’re focusing on the security events that matter, not pursuing false alarms. By making teams more efficient and reducing the noise, analysts can be freed up to hunt proactively for threats rather than reacting to noise.

Too Many Tools

Your security team has a lot of tools at its disposal. By some estimates, the average organization uses 70 security products from a variety of different vendors. That’s a lot of different data sets and interfaces for busy analysts to manage, and it can be debilitating when trying to gain a solid sense of situational awareness. What’s worse is that too many tools don’t work together and analysts often don’t know where to start looking.

Like most enterprises, you’ve probably added dozens of products to your security stack over time, but are all these tools actually making your organization more secure? These products don’t always share information and instead create silos of data which make it difficult to achieve the comprehensive visibility you need across your entire infrastructure.

This problem is compounded as workloads move outside the traditional enterprise perimeter and into public and private clouds. That’s because traditional security products offer visibility into on-premises networks, but fall short when it comes to providing the same level of security in the Cloud. That’s especially true for “cloud-washed” legacy products that often lack the robust feature sets needed to manage threats effectively in a dynamic cloud environment.

Too Many Alarms

Security analysts spend most of their days in reactive mode responding to alarms which are their primary way of knowing something’s happened. Unsurprisingly, the result of having too many tools is that they produce too many of these alarms. In fact, a recent survey of security teams shows a whopping 79% are overwhelmed by the volume of alarms they receive. It’s no wonder why the majority of these wind up getting ignored, or that they simply fall into the abyss.

Some businesses and industries are more lucrative targets than others, and there this alarm fatigue becomes more acute. Take financial services, for example. More than a third of banks (37%) each receive more than 200,000 security alerts each day. That’s way more than even a large, experienced security team can reasonably handle.

This is a clear example of why these teams need to receive alerts that are prioritized and correlated by severity so they know exactly where to focus their efforts first. Getting to that point, though, requires information about events and incidents be correlated with each other, and for that correlated data to be then be associated with detections from other sources to weed out the alarms that matter from the ones that don’t.

Too Little Help

Detecting complex, multi-stage attacks that can unfold over long periods of time takes a host of powerful moving parts. It requires a range of techniques applied in parallel on massive amounts of data to detect threats in real-time, including ones that can’t be identified by deterministic means like signatures and rules alone. That includes techniques like machine learning, intrusion detection that uses commercially available and customized threat intelligence, anomaly detection, file analysis, and heuristics. When threats are detected, time is of the essence, and security teams can’t waste any of it dealing with a tangled web of disconnected, multi-vendor point products.

With legacy security products, analysts are left having to hunt for and piece together information haphazardly, creating needless busy work and introducing plenty of room for errors. This tedious work is made even more difficult by a lack of actual manpower. It’s projected that as many as 3.5 million cybersecurity positions will remain unfilled by 2021, leaving security teams short staffed and potentially overwhelmed with no change in sight.

Not Too Late for a Fix

A way to fix problems like these is closer at hand than you’d think. What’s needed is a modern approach designed from the ground up to secure workloads no matter where they live. Enterprises need:

  • Visibility everywhere on their networks from the core to the Cloud and even industrial and operational environments
  • Forensic data (e.g., PCAPs) about all network segments, including the cloud
  • To have that information fed automatically into a single, easily accessible haystack
  • Analysis of these huge bodies of evidence to detect and remediate threats in real-time and retrospectively
  • Prioritization of threats that need immediate attention to reduce the overwhelming noise of alerts and alarms
  • Confidence of knowing quickly and automatically whether or not a newly-detected threat has ever affected them in the past

Only the Cloud has the capacity and the unlimited computing power to make this finely-tuned threat defense machine possible. Unlike appliance-based security products, the Cloud offers the elasticity and computing power needed to collect, analyze, and store immense bodies of data for infinite amounts of time, and to make that data accessible quickly and on-demand. It can reach into the most remote recesses of the modern enterprise network. For example, how likely is it that an organization will deploy yet another appliance at a remote office. Organizations are forced to accept these blind spots because they lack the manpower or funding to deploy appliances everywhere in the organization. With the Cloud, it is possible to go back in time as far as you need, to re-analyze historical network traffic against the latest threat intel to detect exploits of newly-discovered vulnerabilities.

With visibility across any network for extended periods of time, it becomes easier to gain a full situational awareness when threats or attacks are detected. The Cloud also makes it easier to access virtually endless points of data about their networks from the core all the way out to the endpoint. This provides them with greater context so they can make faster, more well informed decisions.

Also unlike legacy hardware products, millions of events and observations from multiple products can be correlated in the Cloud, producing a rich body of contextual data while distilling down thousands of alarms into the security events that require deeper investigation. But finding threats is just the first step of the detection-triage-response-remediation workflow that organizations need.

Detections should leverage integrations with other products and platforms in a security stack for automated detection-triage-response workflows. For example, integrations with firewalls could trigger dynamic block lists to mitigate a threat. Or integrations with orchestration platforms could open tickets automatically, send notifications to appropriate teams, or update dynamic block lists on firewalls or network devices, or remediate an affected endpoint.

This level of automation unburdens security teams and speeds up the response process by taking manual processes and chaining them into an elegant series of calculated actions triggered by a security event. It can also ensure the consistent application of your security policies and procedures since you’re also removing the element of human error from the equation.

Having this threat detection engine in the Cloud has clear benefits, the best of which is making sure your organization is safe and not just a dysfunctional mess. By reducing the noise, speeding up the response process by giving analysts access to the data they need, it improves efficiency, relieves analyst stress, and frees up time so analysts don’t have to work harder, they can work smarter.

Vice President, Product Management

David is responsible for developing product strategy and direction. With more than 10 years in enterprise network security, he brings a strong track record of innovation and customer focus to ProtectWise. Previously, he led Firewall Product Management at McAfee and has held roles in sales engineering, product management and support at Websense, Intel, McAfee and Secure Computing. David received a M.B.A. from the Carlson School of Management at the University of Minnesota and holds a B.A. in Political Science and International Relations from Carleton College.

More from this author