3 Approaches to Security Management Integration
State and local government IT teams see many positive security management trends. For example, the CISO position is firmly established in all states and many localities, and the importance of security is widely recognized.
Yet problems remain, such as small budgets and a dearth of cyber talent. One of the biggest problems that government agencies face is the proliferation of security tools; a typical data center has dozens of individual tools, generally operating independently. When they detect something suspicious, each tool produces alerts, and security analysts struggle to respond.
Governments require a better way to manage security, and integration is a big part of the answer. Security tools can share their data and work together, reducing complexity and providing security analysts with a holistic view of their environment. Analysts can see what’s truly important and weed out false alarms. Integration can even lead to security automation, where the tools themselves perform many routine tasks and liberate analysts to focus on managing risk and response.
In short, integration holds the promise of maximizing budgets and staff and delivering better protection.
There are two basic ways to achieve security integration. Choose platforms designed to allow tools from different vendors to work together, or leverage security suites from a vendor designed with integration as the goal. Or choose both — they are not mutually exclusive. The steps to achieve integration to improve security are increasing interoperability, centralizing management and collecting threat intelligence.
VIDEO: These are the cybersecurity threats that keep state CISOs up at night.
1. Agencies Can Make Security Solutions Interoperable
Interoperability involves breaking down the barriers between systems and data. Many security solutions — such as endpoint detection and response, and user and entity behavior analytics — exist in silos, collecting and operating on data they alone can see. But a variety of systems can aggregate and correlate their data, often via application programming interfaces.
A number of security incident and event management systems perform integration for network data. Today’s interoperability extends that reach beyond networks to incorporate endpoint and cloud data.
Interoperability results in aggregated data that enables sophisticated correlation, which can lead to automating labor-intensive tasks such as internal diagnostic audits, user activity monitoring, event detection and even remediation.
2. Centralized Management Consoles Correlate Data
Centralized management is often referred to as a “single pane of glass” — a single console that reduces the need for analysts to switch from one screen to another to manually correlate data.
A centralized console displays all relevant data, showing the big picture of threats and the entire attack chain. For example, in the case of a social engineering attack, it can show when it entered, where it went, what it did and what happened. Centralized management (especially via a cloud portal) simplifies administration, accelerates effectiveness and facilitates communication with senior government leaders and elected officials.
One challenge faced by many state and local governments is the use of operational technology and Internet of Things sensors, which can be difficult to manage via a central console.
3. Couple Threat Intelligence with Assessment Tools
A vital tool in any security team’s arsenal is threat intelligence, providing timely information on real-time threats to improve detection and time to mitigation. Recent advances in frameworks for threat data exchange, such as Structured Threat Information Exchange, the open-source tool YARA and Interface for Metadata Access Points, are important tools in malware research and detection. They are expressive, flexible, extensible and, most important, human-readable.
However, threat intelligence can, like alerts, prove to be too much information. To be useful, the intel must be coupled with assessment tools that prioritize vulnerabilities present in mission-critical applications. Done right, threat intelligence feeds can be coupled with information about applications and vulnerabilities to prioritize vulnerability remediation.