Security is a team sport: Get used to this
Estimated reading time: 5 minutes
As threats accelerated, businesses needed to have a real-time view of what’s happening. This had necessitated Securonix, which helped businesses be compliant with simple log management, to evolve into SIEM, or security incident event management.
From Securonix’s perspective, they realised early on (about a decade ago) that they needed to analyse users’ behaviour, how these users use a system, how their machine actually interacts with other systems in the network, and so on. This became their UEBA, or user and entity behaviour analytics, offering.
Ajay Kumar, Securonix’s Director for APJME, shared, “We are now in the third iteration of what we call the security analytics space, with a platform approach that constantly updates itself to detect and respond to the latest threats.”
Having to be always on the ball with the cybersecurity space, Securonix noticed that when it comes to cybersecurity for an organisation, they typically think about identifying, protecting, detecting, and responding.”
From Securonix’s perspective, they realised early on (about a decade ago) that they needed to analyse users’ behaviour, how these users use a system, how their machine actually interacts with other systems in the network, and so on. This became their UEBA, or user and entity behaviour analytics, offering.
Ajay said, “What organisations are emphasising is detection and response, and that’s where our AI, real-time analytics platform comes into play.”
Securonix proposes to be able to address the biggest challenge that arises for the detection phases due to all the various systems that are disconnected.
Orchestrating incident response with SOAR
Enter the SOAR, or security orchestration, automation, and response.
With SOAR, an analyst looks at an alert, determines if it’s a threat, and immediately executes a playbook, Ajay said.
This begins to trigger a series of actions, for example if stolen credentials are used to log into a machine, a response would be to immediately flag the incident, alert the analyst in charge, and also go into a directory to disable the user so they can no longer use stolen credentials to enact anything via the system.
In this example, it is very critical for detection and response to work hand-in-hand, and be able to do things together in a real-time manner.
After detecting a threat, the action of quarantining off a user with a compromised identity credential, and cordoning off a compromised machine, is really what SOAR is about.
Components
Ajay explained the different aspects of SOAR – the playbook, automation, and collaboration.
The playbook is a basic element the whole response – if there is a phishing attack – will outline the series of steps to take.
In this example, it is very critical for detection and response to work hand-in-hand, and be able to do things together in a real-time manner.
Secondly is automation, that phase of the SOAR response that leverages APIs to trigger responses from third-party security systems.
He explained, “With the push of a button, I can automate a response to a vendor like CrowdStrike to quarantine an endpoint that is malware-compromised.”
The capability to do this helps tremendously with narrowing the window for an organisation to respond to an attack.
Collaboration is another important SOAR element, to which Ajay commented, ”Now, more and more when you are having an incident, it’s not just you that is responsible… a whole team needs to get involved.”
A platform enables teamwork from beyond the incident response team
For example, when it comes to insider threats, the HR team comes into the picture. If there is data leakage, the legal team gets involved.
Another good example Ajay shared that required collaboration from a broader set of people, and not just incident response, is when governments put out contracts that require breach notifications within six hours.
“So, a platform like SOAR provides playbooks that help you standardise your response, and provide you automation via APIs to connect to all systems and push decisions forward.”
A platform approach also helps to streamline collaboration, by tying all the relevant parties together so they can participate and collaborate as part of the incident response.
Associate systems’ processes
There are standard systems Securonix would work with, for example endpoint detection and response (EDR) vendors like CrowdStrike, and threat intelligence providers that help with investigations like Virus Total.
“So, a platform like SOAR provides playbooks that help you standardise your response, and provide you automation via APIs to connect to all systems and push decisions forward.”
A third category of systems would be control or action systems, like a firewall. This helps with, for example, blocking an IP connection, or quarantining compromised machines.
Of course, there are many more categories like identity, privileged access management (PAM), and others.
Ajay commented, “Security is a team sport. The idea is to get as many of these partners as possible on a platform. We are currently reaching out to more and more network security vendors, email security providers, and more so we can carry out these control actions.”
From a SIEM perspective, Ajay shared that Securonix already supports close to 600 different connectors. “That means you can view logs and events from about 600 different vendors.”
This is way above the average of 75 security tools that an average enterprise typically has to monitor, manage, and integrate across their whole environment.
A unique advantage Securonix has over other SIEM and/or SOAR solutions in the market is how they consolidated three different architectures – SIEM, UEBA (user and entity behaviour analytics), and SOAR – into one architecture and one screen from which to do threat detection, investigation, and response.