The foundation of cyber security defense has been clouded by point solutions, false promises, and bolt on solutions that extend the value of a given technology, based on a need. After all, if we count how many security solutions we have implemented from anti-virus to firewalls, you find dozens of vendors and solutions throughout an organization. The average user or executive is not even aware of most of them even though they may interact with them daily from VPN clients to multi-factor authentication.
If we step back and try to group all of these solutions at a macro level, we will find each one falls into one of three logical groups. These form the pillars for our cyber security defenses, regardless of their effectiveness:
- Identity – The protection of a user’s identity, account, and credentials from inappropriate access
- Privilege – The protection of the rights, privileges, and access control for an identity or account
- Asset – The protection of a resource used by an identity, directly or as a service
While some solutions may be supersets of all three pillars, their goal is to unify the information from each in the form of correlation or analytics. For example, consider a Security Information Enterprise Manager (SIEM). It is designed to take security data from solutions that reside in each pillar and correlate them together for advanced threat detection and adaptive response. Correlation can come from any of the pillars that have traits that exist in each of the pillars. Time and date parameters are typically the foundation, and an identity accessing an asset with privileges is a simplistic way of looking at how the pillars support the entire cyber security foundation of your company. This answers, “What is inappropriately happening across my environment that I should be concerned about?” A good security solution should represent all three pillars.
For most vendors and businesses, the integration of these three pillars is very important. If security solutions are isolated, do not share information, or only operate in their own silo (one or two pillars), there protection capabilities are limited in scope. For example, if an advanced threat protection solution or anti-virus technology cannot share asset information, or report on the context of the identity, then it is like riding a unicycle. If pushed too hard, an environment could lose its balance and fall over. If that analogy does not resonate with you, imagine not tracking privileged access to sensitive assets. You would never know if an identity is inappropriately accessing sensitive data. That is how threat actors are breaching environments every week.
When you look at new security solutions, ask yourself what pillar they occupy and how they can support the other pillars you trust and rely on every day. If they must operate in a silo, make sure you understand why and what their relevance will be in the future. To this point, what is an example of a security solution that operates only in a silo? Answer—One that does not support integrations, log forwarding, has concepts of assets (even it if it just IP based) or even basic role access. Sounds like an Internet of Things (IoT) device. An IoT door lock that provides physical protection for assets based on a static identity that cannot share access logs or integrate with current identity solutions is a bad choice for any organization. A standalone anti-virus solution that has no central reporting on status, signature updates, or faults is another. There is no way of knowing if it is operating correctly, if there is a problem, or even if it is doing an exceptionally good job blocking malware. Why would you essentially pick a consumer grade anti-virus solution for your enterprise? Unfortunately, this happens all the time and we end up with the bolt on approach to solve the problem.
As we stabilize our cyber security best practice, and focus on basic cyber security hygiene, consider the longer-term goals of your business. If you choose a vendor that does not operate in these three pillars, has no integration strategy, or is an odd point solution, be aware of the risks. Everything we choose as a security solution should fall into these pillars; if they do not, then ask a lot of questions. For example, why would you choose a camera system without centralized management capabilities? It falls into the asset protection pillar, can monitor physical access by an identity, but without centralized capabilities and management, it is a standalone pole not supporting your foundation. It needs to support all three pillars to be an effective security solution and ultimately provide good information for correlation, analytics, and adaptive response.
In conclusion, some may argue there could four or even five pillars for a sound cyber security defense. They could be education, partners, etc. to support your foundation. I prefer to think of all tools and solutions in these three categories. Why? A three-legged stool never wobbles!
Author: Morey Haber, Vice President, Technology at BeyondTrust