Drowning in Data, Security Execs Urge Move to Security Ecosystem

The concept of a security ecosystem is more than just marketing talk. It’s a recognition that any given cyber solution needs to be understood in terms of how it fits into the larger constellation of products and services that are required to protect today’s distributed IT environments.

But how exactly does that ecosystem come together?

That was the focus of a recent panel discussion, hosted by Splunk, that brought together senior executives from a handful of cyber organizations—Crowdstrike, Johns Hopkins Applied Physics Lab (APL), Recorded Future, Splunk and myself.

We looked at the problem from the perspective of the security operations center (SOC), the “epicenter of cyber security,” in the words of our moderator, Haiyan Song, Senior Vice President of Security Markets at Splunk.

As Haiyan noted, studies have found that organizations typically have dozens of different security products—in some cases 70 or more—each of which generates data for cyber analysts. In theory, analysts should be able to leverage all that data to understand what’s happening on their networks.

But often these products are not working as an ecosystem, but as a disparate array of point solutions, and analysts can find themselves feeling overwhelmed—to the point that they no longer can tell what’s important and what’s not. Harley Parkes, who is a Senior Systems Engineer at Johns Hopkins APL, called it the “fog of war.”

This inundation of data has serious implications for SOCs. The quicker that analysts can sift through the data and identify real threats, the quicker they can respond and limit the damage.

Oliver Friedrichs, the Vice President of Security Automation and Orchestration at Splunk, said that a piece of malware, once introduced into a network, typically takes an hour and fifty-eight minutes before it breaks out and begins spreading. If analysts are still struggling to make sense of the data when that window closes, they will have even more trouble on their hands.

The good news is that we are beginning to see how a security ecosystem might come together. One critical component of that ecosystem is the emergence of standard application programming interfaces, or APIs, which allow different security solutions to exchange information. As agencies modernize their systems over time, standard APIs, combined with a standard taxonomy, make it easier for them to leverage their legacy systems as part of the new ecosystem.

But while APIs help address the problem of interoperability, they do nothing to help analysts make sense of the associated data. That’s where artificial intelligence (AI) and machine learning come in.

AI and machine learning, incorporated into the ecosystem, make it possible to accelerate threat analysis and response—not replacing analysts, but providing them with deeper insights that lead to quicker, more effective responses. These tools also provide a foundation for greater automation and orchestration, making it easier to scale up cyber defenses.

Even then, however, analysts might find themselves with too much data—more alerts than they could possibly respond to in a timely fashion.

They need contextual information that can help them assess the risks associated with the different threats and adversaries, tapping into external resources to gain deeper insights into the current threat landscape: the ever-shifting lineup of malicious actors, their motivations and techniques, their active campaigns and the risks they pose.

Ultimately, we need to elevate our network defenders from threat detectives to threat profilers. Rather than simply responding to alerts, they should be leveraging AI, machine learning and other analytic tools to begin identifying patterns that could point to the emergence of a potential threat well before it takes hold or breaks out.

You might say that a security ecosystem delivers on three basic goals: Visibility, context and control. It provides organizations with deep insight into their environment, with total visibility into the risks they face and constant awareness of their cyber posture across the entire enterprise—and with the ability to adapt that posture as the threats evolve, using AI, machine learning and related tools to bring more intelligent automation and orchestration.

For many organizations, this vision of a security ecosystem might sound daunting. But as our panel discussion made clear, this vision is both necessary and achievable.