Security

3 Approaches to Security Management Integration

Separate security tools can work collectively through an interoperability boost, centralized management or intelligence gathering.

Tanya Candia

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

State and local government IT teams see many positive security management trends. For example, the CISO position is firmly established in all states and many localities, and the importance of security is widely recognized.

Yet problems remain, such as small budgets and a dearth of cyber talent. One of the biggest problems that government agencies face is the proliferation of security tools; a typical data center has dozens of individual tools, generally operating independently. When they detect something suspicious, each tool produces alerts, and security analysts struggle to respond.

Governments require a better way to manage security, and integration is a big part of the answer. Security tools can share their data and work together, reducing complexity and providing security analysts with a holistic view of their environment. Analysts can see what’s truly important and weed out false alarms. Integration can even lead to security automation, where the tools themselves perform many routine tasks and liberate analysts to focus on managing risk and response.

In short, integration holds the promise of maximizing budgets and staff and delivering better protection.

There are two basic ways to achieve security integration. Choose platforms designed to allow tools from different vendors to work together, or leverage security suites from a vendor designed with integration as the goal. Or choose both — they are not mutually exclusive. The steps to achieve integration to improve security are increasing interoperability, centralizing management and collecting threat intelligence.

VIDEO: These are the cybersecurity threats that keep state CISOs up at night.

1. Agencies Can Make Security Solutions Interoperable

Interoperability involves breaking down the barriers between systems and data. Many security solutions — such as endpoint detection and response, and user and entity behavior analytics — exist in silos, collecting and operating on data they alone can see. But a variety of systems can aggregate and correlate their data, often via application programming interfaces.

A number of security incident and event management systems perform integration for network data. Today’s interoperability extends that reach beyond networks to incorporate endpoint and cloud data.

Interoperability results in aggregated data that enables sophisticated correlation, which can lead to automating labor-intensive tasks such as internal diagnostic audits, user activity monitoring, event detection and even remediation.

2. Centralized Management Consoles Correlate Data

Centralized management is often referred to as a “single pane of glass” — a single console that reduces the need for analysts to switch from one screen to another to manually correlate data.

A centralized console displays all relevant data, showing the big picture of threats and the entire attack chain. For example, in the case of a social engineering attack, it can show when it entered, where it went, what it did and what happened. Centralized management (especially via a cloud portal) simplifies administration, accelerates effectiveness and facilitates communication with senior government leaders and elected officials.

One challenge faced by many state and local governments is the use of operational technology and Internet of Things sensors, which can be difficult to manage via a central console.

3. Couple Threat Intelligence with Assessment Tools

A vital tool in any security team’s arsenal is threat intelligence, providing timely information on real-time threats to improve detection and time to mitigation. Recent advances in frameworks for threat data exchange, such as Structured Threat Information Exchange, the open-source tool YARA and Interface for Metadata Access Points, are important tools in malware research and detection. They are expressive, flexible, extensible and, most important, human-readable.

However, threat intelligence can, like alerts, prove to be too much information. To be useful, the intel must be coupled with assessment tools that prioritize vulnerabilities present in mission-critical applications. Done right, threat intelligence feeds can be coupled with information about applications and vulnerabilities to prioritize vulnerability remediation.

Real-World Examples of Security Integration

Security integration that incorporates interoperability, centralized management and threat intelligence is not just a pipe dream. Numerous government security teams have accomplished all three, using platforms designed for integration as well as integrated security suites.

For example, Ada County, Idaho, put a program in place to prevent known and unknown threats from compromising private information. Implementing the Palo Alto Networks Security Operating Platform, the county was able to stop 52 cyberattacks in the first month of deployment. The platform integrates Palo Alto Networks products (next-generation firewalls with threat prevention, URL filtering and endpoint protection) and third-party applications, along with custom programs. The security team’s work has become more streamlined and automated thanks to security integration.

Similarly, Oklahoma can see security events at a variety of different state agencies and understand how they might affect one another. In this case, a suite of products — the Symantec IT Management Suite — provides integrated data and a single interface. Designed for integration and interoperability, the components at work are Symantec Endpoint Protection, Symantec DeepSight Security Intelligence and Symantec Business Critical Support. Thanks to security integration, the state has projected $2.3 million in savings over the first five years of use and hopes to reclaim six person-years of IT staff productivity.

Security integration can pay off big time for state and local governments. With aggregated data, centralized management and tailored use of threat intelligence, the security team’s work can become much more streamlined and automated, saving taxpayer money and improving productivity.

metamorworks/Getty Images