Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11:10 AM
Simon Marshall
Simon Marshall
Simon Marshall

The Gift of Simple Security

Alert Logic's Marc Willebeek-Lemair has seen complex security and now thinks that simple solutions are the best for most enterprises.

The need for security is leading some companies to build security schemes based on dozens of different products. The need to manage all of those products is leading some security professionals to re-think long-held ideas on the best strategy for security.

For Alert Logic, founded in 2002, it's a case of somewhat reneging on a bet that Marc Willebeek-Lemair, now CSO, placed a while back on a best-of-breed security system strategy as best practice. In a world where in extreme cases some organizations report deploying as many as 50 separate security solutions, a lot of enterprises are scratching heads about how many they really need to completely secure their businesses. They're still considering the gamut, while Willebeek-Lemair is trying to offer fresh air through a move to cloud and dispensation of point solutions.

Reform is top of the list for Willebeek-Lemair, having been a pioneer and early advocate for best-of-breed security working at Tipping Point, where he was CTO and founder in the early Noughties, and also CTO of 3Com. According to him, "defense-in-depth" is no longer viable. Obviously, many systems are bought each year and integrated, but they are by description designed in a vacuum, leaving the enterprise to join the integration dots that support reporting and prioritization.

"You need look no further than the Target breach or almost any other breach-of-the-week to see this misalignment of risk and security focus exacerbated by the traditional piecemeal best-of-breed approach," he told SecurityNow. "We need experts in the defensive loop and there are not enough of them to go around."

His conceptual approach adapts to where the successful automation of existing systems can be more effectively handled by analyst teams. That belief is rooted in the fact that many enterprises are reaching a crunch. They have so many systems, feeding high-volume and disparate data to the analyst team, that this is in itself an issue; analysts are number crunchers rather than analyzers.

"Converting expert knowledge into automated detection requires control over the content within the various point products and the layer above them (usually a SIEM), where analytics that combine underlying point-product events best capture expert knowledge" said Willebeek-Lemair.

According to Cisco's 2017 Annual Cybersecurity Report, about 55% of companies use at least six security vendors and 65% deploy no less than six cyber defense products. Alert Logic says that there are scenarios were companies have, on average, 17 point-product security solutions in their organizations. There are statistics that exceptionally show large enterprises can have as many as 50 deployed.

Willebeek-Lemair's point is that engaging as many point systems as enterprises now feel necessary to deal with diverse threats has passed the point of being effective versus internal resources to run them effectively. Many systems but too few people. The resultant automation is a common theme with Willebeek-Lemair, and it may resonate well where many developers and their customers are beginning to feel comfortable. Ultimately, he recommends a cloud approach.

"The existing Do-It-Yourself (DIY) model where customers buy a plethora of best-of-breed point-products, plug them into a SIEM and hire a team of experts in the SOC simply isn't working. The gap between the theory and practice of this approach is too large," he said.

Conversely, using the cloud instead of traditional point products is an alternative approach that might enable security teams to get to the crux faster, especially as threats or vectors multiply. There's no dispute that a conclusion that large enterprises need 50+ systems to be secure is incorrect or at least unworkable. The better replacement for that conclusion is that expert knowledge must be applied to detection systems so that they can be successfully automated.

According to Willebeek-Lemair, CISOs are struggling to find a good path forward. A lot of them realize that frankly the current set-up is not working, but are hamstrung by the amount of time spent on today's integration processes from multiple systems. In his earlier example, Target had a lot of threat information coming in, in fact, but too much.

"Target had security solutions deployed, and they were receiving alerts. They just didn't know which ones to prioritize, and this is symptomatic of the challenges businesses currently face," said Willebeek-Lemair.

Currently the approach is for SIEM systems to collect data from multiple point systems for the SOC, and this seems to be the most common set-up. But it's getting more difficult and expensive, apparently, to use this foundation going forward. The old model existed while the volume and type of threats were relatively small, but expertise was numerically high. It worked well as a model to date, in most cases, but as the threat world gets busier, it is falling apart, and decrepitude ensues.

"Information, employees and risks are much more fluid, moving from one place to the other" said Willebeek-Lemair. Conversely, "As more and more companies go online and get exposed to the cyber threat environment, the model stayed the same. More and more experts were needed, and the attack surface grew in complexity. We just outgrew the old model and it doesn't scale to the higher demand of experts nor does it fit the available budgets."

The new one is a faster and simplified integration, which offers more information-sharing and visibility by removing silos. This information-sharing and visibility are also critical factors in machine learning's successful integration into the security infrastructure. The implication is that the cloud holds answers to both the quantitative and qualitative report-handling as well as the machine learning that increases threat analysis and remediation.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.