The cybersecurity strategies followed by many organisations tend to be rather piecemeal affairs. Multiple products are deployed to tackle different threats with little thought given to creating a cohesive whole.
Such an approach is concerning for a number of reasons. It makes effective management difficult to achieve because IT teams need to monitor and manage many different moving parts. It can also result in unintended gaps in protection waiting to be exploited by cybercriminals.
When all the tools and solutions that have been put in place are considered, it becomes clear that each falls into one of three categories: identity, privilege, and asset.
As the name implies, ‘identity’ tools and solutions protect user identities, accounts, and credentials from inappropriate access and use. ‘Privilege’ tools take care of the rights, privileges, and access control for an identity or account. Meanwhile ‘asset’ tools look after the protection of a resource used by an identity, directly, or as a service.
The Role Of a SIEM Platform
Some solutions may be supersets of all three pillars, and their goal is to unify the information from each in the form of analytics. This is often achieved through the deployment of a Security Incident and Event Management (SIEM) platform.
SIEMs are designed to extract security data from tools in each pillar and correlate it to allow for advanced threat detection and adaptive response. This correlation can come from any of the pillars that have traits which exist in each of the pillars.
A user or identity accessing an asset with privileges is a simplistic way of looking at how the pillars support the entire cybersecurity foundation of an organisation. This shows a security team what is happening across their environment and whether they should investigate any suspicious incidents.
For most organisations, the integration of these three pillars is an important part of ensuring strong security is in place. If chosen security solutions do not share information, or only operate in their own silo, the resulting protection capabilities will be limited in their scope.
For example, if an advanced threat protection solution or anti-virus tool is unable to share asset information, or report on the context of an identity, it’s akin to driving with your eyes closed. The security team may never be aware that an identity is inappropriately accessing sensitive data. This is exactly how cybercriminals are breaching IT infrastructures every day.
Evaluating New Tools and Platforms
When an organisation’s IT team is evaluating new security solutions, it’s important to consider which of the three pillars they occupy and how they can support the other tools and platforms that have already been deployed.
If the new solutions have to operate in a silo, the IT team needs to understand why and what the solution’s relevance will be in the future. The decision on whether or not to deploy can then be made with confidence.
There are a range of tools that do operate in silos. An example could be an Internet of Things (IoT) device such as an electronic door lock that provides physical protection for assets based on a static identity that cannot share access logs or integrate with current identity solutions.
Another example might be a standalone application control solution that provides no central reporting on what applications are being run and where, which versions they are and which may be considered a threat. The IT team has no way of knowing if it is operating correctly, if there is a problem, or even if it is doing a good job at blocking malicious applications and scripts, or even malware.
On the flipside, it may be advantageous to combine projects when managing Essential Eight controls such as administrative privileges, performing application hardening and the aforementioned application control. By rolling out multiple controls at the same time via the same solution it makes reporting and visibility a less complicated proposition.
Keep The Future In Mind
When planning changes to an existing security infrastructure, it’s important for an organisation to have a clear perspective of what will be required in the future. If a new vendor is chosen that does not operate in each of the three pillars, has no integration strategy, or offers just point solutions, be aware that this could significantly increase the risks that could occur.
The IT security challenges faced by organisation are going to continue to rise in coming years. Through careful evaluation of new tools and platforms, and by keeping the three pillars in mind, the protective measures that will be required can be identified and deployed in the most effective way.