Modern security interoperability for the Atomized Network
By Dan Ramaswami
VP Field Engineering
Our approach to securing the Atomized Network is simpler, more effective, and more sustainable than conventional methods. So, it shouldn’t surprise you to learn that we are taking a similar approach to tackle integration throughout the security stack itself, which is becoming increasingly complex and disparate and, as a result, ineffective. Organizations are layering multiple tools with the hope of arriving at a comprehensive set of capabilities to secure their network, but many of their security technologies don’t interoperate, even if they come from the same vendor. As their network becomes more dispersed, their security stack becomes more disparate and threat actors take advantage of the complexity to execute damaging attacks.
It’s all about outcomes
Security operations teams are inevitably focused on outcomes. These outcomes are driven by the results of tools scattered across the security stack. Not so long ago all of the tools that we could put into the security stack were made up of closed APIs and an aversion to interoperability, so it’s refreshing to see more partner programs focus on interoperability—because that’s ultimately how security infrastructure gets better. But we need to start with this in mind—not wind up there, eventually—which is why we decided to take a different approach out of the gate and prioritize outcomes as we design our integration strategy.
Conceptually, our approach is straightforward: We use an API-driven, bi-directional conduit to enable fast and precise alerting and remediation. Inbound, we take in specific data sets for intelligence, enrichment, and operational context based on customer preference. In short, whatever sources of truth need to be applied to the event context. Outbound, we send the context-rich signals to the customer’s existing operational infrastructure, seamlessly integrating with tools like their SIEM and SOAR, but also integrating with point technologies such as EDR and infrastructure to enable a sort of emergency power off (EPO) switch. That way, when we detect with precision a “nuclear-level” security event, it can be stopped or remediated immediately and automatically.
Bold begets bold
As threat actors become increasingly bold, security teams have to make bold moves too and we are advancing detection and enrichment capabilities so they can. Our integration supports a two-tiered remediation approach. Enterprises have the option to follow the typical human-in-the-loop investigation process for full event analysis, using data from across their Atomized Network that has been normalized, aggregated, and enriched with business and threat intelligence. Because they are receiving substantially more corroborating evidence, they can be much more confident in their decisions and time-to-decision becomes extremely fast.
But nuclear-level events happen, and we need to remember the outcomes, including when humans don’t step out of the loop. The reaction time of a person to shut down something immediately, assuming they are available at that particular moment, can’t compare to the response time of a machine. When organizations are able to know with certainty that a nuclear event is happening and that they can rely on a machine to do the right thing now, they need that bold EPO option.
When would the EPO option kick in? Here’s just one scenario.
Under normal circumstances, a printer should have quick conversations with the internal network or the VPN space. If it has an outbound connection with a country of concern, sending a large volume of traffic via any port, something is probably suspect with that printer. This could be the first indicator of a much larger compromise. The EPO action, whether to quarantine or shut down, is determined based on the amount of dedicated intelligence available to support the decision-making criteria and convict with precision. When that threshold is met, the machine is triggered to take corrective action. The human also receives an alert and can always undo the action. But the organization knows that a human doesn’t need to be involved because the integration was based on sufficient evidence. In this example, they can be confident that shutting down printer connectivity to whatever is outside isn’t going to be business disruptive and time to resolution is dramatically reduced.
When security interoperability is designed based on outcomes, enterprises benefit from an integration strategy that spans the full gamut from detection to remediation—with humans in-the-loop, or not—with precision and speed. It’s a simpler, more effective, and sustainable way to get the most from your security stack and your people, even in today’s Atomized Network.