The Bolt-on Challenge: Closing Security Gaps Through an Integrated Security Architecture

By Ivan Wen, Country Manager Sourcefire Malaysia

As our IT environments have expanded to include networks, endpoints, mobile devices and virtual assets so have our security tools. Most organizations have ended up with a set of disparate technologies across these control points that were never designed to work together. The result: breaches happen. It’s a fact of life. As our protection methods improve and security effectiveness levels reach new heights, the bad guys are digging deeper and using advanced techniques and new attack vectors to circumvent existing protection methods. The integration done to date, if any, is typically one way – the visibility and analysis isn’t automatically correlated and translated into action so that we can contain and stop damage and prevent future attacks. And the data gathered is usually a snapshot in time, not continuously updated to monitor activity as it unfolds.

Ivan Wen, Country Manager, Sourcefire Malaysia

To complement integrated visibility and analysis we need integrated and automated controls and intelligence. And we can’t just focus on point in time data; we must remain continuously vigilant to combat today’s more sophisticated attack techniques. What happens in the case of malware that disguises itself as safe to evade detection and exhibits malicious behavior later? Or when indicators of compromise are imperceptible on their own and only point to an attack when distinct data points are correlated – such as an endpoint trying to access a database that it wouldn’t normally, while a system on the network attempts to communicate back to a known bad (blacklisted) IP address? Integration must address the full attack continuum, not just before an attack but also during and after, so that we can adapt our defenses and take action to protect our assets.

What’s needed is a tightly integrated enterprise security architecture. A 2012 survey by market research firm Enterprise Strategy Group found that 44% of enterprise security professionals believe that over the next 24 months their organizations are likely to design and build a more integrated enterprise security architecture to improve security controls with central policy management, monitoring and distributed policy enforcement.

An enterprise security architecture can provide continuous security – before, during, and after an attack. With security infrastructure based on the concept of awareness and using a foundation of visibility, we can aggregate data and events across the extended network. This evolves security from an exercise at a point in time to one of continual analysis and decision-making. With this real-time insight we can employ intelligent automation to enforce security policies across control points without manual intervention, even after a breach has occurred.

After an attack we need to mitigate the impact and prevent future similar attacks. With an infrastructure that can continuously gather and analyze data to create security intelligence we can, through automation, identify and correlate indicators of compromise, detect malware that is sophisticated enough to alter its behavior to avoid detection and then remediate. Compromises that would have gone undetected for weeks or months can be identified, scoped, contained and cleaned up rapidly. We can also move forward with more effective security by automatically updating protections and implementing integrated rules on the perimeter security gateway, within security appliances protecting internal networks, on endpoints and on mobile devices to detect and block the same attack.

As we look to the future, we know that our IT environments will continue to expand, spawning new attack vectors we have yet to imagine. An integrated security architecture provides a dynamic foundation so that security measures can remain continually effective and relevant in a changing world.

Attackers don’t discriminate. They’ll use every weapon at their disposal to accomplish their mission. As defenders we need to as well. With a powerful enterprise security architecture based on awareness and continuous capabilities we can close security gaps across the ever-extending network – before, during and after an attack.