Modern Security Interoperability for the Atomized Network

Modern Security Interoperability for the Atomized Network

By Dan Ramasvami
Vice President Field Engineering

Our approach to securing the atomized network is simpler, more efficient and more durable than conventional methods. So, you shouldn’t be surprised to learn that we’re taking a similar approach to addressing integration across the entire security stack itself, which is becoming increasingly complex and disparate and, therefore, inefficient. . Organizations layer multiple tools in hopes of achieving a comprehensive feature set to secure their network, but many of their security technologies don’t work together, even if they come from the same vendor. As their network becomes more dispersed, their security stack becomes more disparate, and threat actors take advantage of the complexity to execute damaging attacks.

It’s all about results
Security operations teams are inevitably results-oriented. These results are determined by the results of tools scattered throughout the security stack. Not too long ago, all the tools we could fit into the security stack consisted of closed APIs and an aversion to interoperability. So it’s refreshing to see more partner programs focusing on interoperability, because that’s ultimately how the security infrastructure improves. But we need to start with that in mind, not end there, which is why we decided to take a different approach and prioritize results when designing our onboarding strategy.

Conceptually, our approach is simple: we use an API-driven bi-directional conduit to enable fast and accurate alerting and remediation. As input, we take specific datasets for intelligence, enrichment and operational context based on customer preferences. In short, all sources of truth must be applied to the context of the event. As an output, we send the context-rich signals to the client’s existing operational infrastructure, seamlessly integrating with tools such as their SIEM and SOAR, but also integrating point technologies such as EDR and infrastructure to enable some sort of emergency power off (EPO) switch. So when we accurately detect a “nuclear-grade” security event, it can be stopped or corrected immediately and automatically.

Boldness breeds boldness
As threat actors grow bolder, security teams must also take bold action and we are advancing detection and enrichment capabilities so they can. Our integration supports a two-tier remediation approach. Companies have the ability to follow the typical human-in-the-loop investigation process for comprehensive event analysis, using data from across their atomized network that has been normalized, aggregated, and enriched with business and the threats. Because they receive a lot more corroborating evidence, they can be a lot more confident in their decisions, and decision time becomes extremely fast.

But nuclear-level events do happen, and we need to remember the results, including when humans don’t break out of the loop. The reaction time of a person to stop something immediately, assuming they are available at that precise moment, cannot be compared to the reaction time of a machine. When organizations are able to know for sure that a nuclear event is happening and can rely on a machine to do the right thing now, they need this bold option from EPO.

When would the EPO option come into effect? Here is just a scenario.

Under normal circumstances, a printer should have fast conversations with the internal network or VPN space. If it has an outbound connection to a country of concern, sending a large volume of traffic through any port, something is likely suspicious with that printer. This could be the first indicator of a much larger compromise. The EPO’s action, whether to quarantine or close, is determined by the amount of dedicated intelligence available to support decision-making criteria and to convict with accuracy. When this threshold is reached, the machine is triggered to take corrective action. The human also receives an alert and can always undo the action. But the organization knows that a human being does not need to be involved because the integration was based on sufficient evidence. In this example, they can be confident that shutting down printer connectivity to anything outside won’t disrupt business and resolution time is dramatically reduced.

When security interoperability is designed around outcomes, organizations benefit from an integration strategy that spans the full spectrum, from detection to remediation, with or without human intervention, with precision and speed. It’s a simpler, more efficient and sustainable way to get the most out of your security stack and your people, even in today’s atomized network.

Kevin M. Risinger