Rick McElroy, Head of Security Strategy, Carbon Black, Inc.
“One of the best ways to reduce mean time to detect is to correlate all the data sets from security technologies
throughout the environment, apply behavioral analysis to that correlatd data, and then drive high-fidelity alerts.”
- In most cases, a security practice benefits from one orchestration and automation platform that correlates all data, applies behavioral analytics, accurately identifies threats in real time, and automatically initiates remediation. That is how teams will secure their environment and stay ahead of the bad guys.
- When optimizing the security stack, security teams need to consider the time they will spend operating and maintaining
the technology versus the time they should be spending improving detection and remediation and refining their security practice.
“Because of where data resides, one of the most important data sources
comes from endpoints. Although configuration files for routers and switches can provide useful information for attackers, the data attackers
are after does not reside on routers or switches.”
Optimizing a security practice is first and foremost about optimizing people and processes. Technology is important, but the technology stack serves the operational needs of people and processes. Therefore, the first step in optimizing a technology stack is to clearly understand the outcomes you expect from people, process, and technology that compose a security practice.
A key goal for most security organizations is to reduce mean time to detection and mean time to remediation. These go hand-in-hand. Technology can now detect events as they happen, and it can trigger actions that immediately begin a remediation process. It’s no longer necessary to put in a ticket and wait for the next available IT person to address an issue that may or may not plug a vulnerability.
On the detection side, one of the best ways to reduce mean time to detect is to correlate all the data sets from security technologies throughout the environment, apply behavioral analysis to that correlated data, and then drive high-fidelity alerts. This can only be done if you are able to integrate that technology stack so that endpoint technology can reach out to firewall technology and domain name system (DNS) technology.
Correlating data from all the different security technologies is the only way to build a complete picture of event activity in an IT environment, but doing that manually is a time-consuming process that’s ultimately impossible. Organizations need to prioritize configuration of open application programming interfaces (APIs) so they can begin orchestrating and automating the tools in their stack to communicate with each other and correlate their event data.
This is an excerpt from 7 Experts on Optimizing Your Security Stack. This series was generously sponsored by Carbon Black.