Maturing Cyber Operations Using a Unified Approach
Learn how to change the conversation around enterprise security and the building blocks that comprise a unified security strategy.
In This Article
Security leaders are constantly thrown into the midst of a war zone. Attack surfaces are ever-expanding. Tactics, techniques and procedures (TTP) are in constant flux. There's a cybersecurity skills gap with no end in sight. The deck is stacked against organizations today, thus requiring an integrated automated approach to security to protect users, assets and data.
Several years ago, I began telling my customers, "the endpoint is the new perimeter." And though my talk track has morphed a bit since then (I'd argue identity is now the new perimeter), endpoint security still plays a critical role in defending against security breaches. And we have the data to prove it.
Industry research by International Data Corporation (IDC) shows that 70 percent of successful breaches enter through an endpoint such as a laptop, tablet or phone. A mobile workforce has proven to be the weakest security link and an easy target for attackers.
Rick McElroy, security strategist for Carbon Black, has this to say:
"A mobile workforce and the cloud have dramatically changed the security landscape… The decentralization of end-users who work from anywhere and everywhere means that critical business applications and resources are more vulnerable than ever."
It's a war zone out there. It's a digitized landscape with payloads measured in kilobytes, not megatons. I imagine squads of InfoSec experts, "cyber ninjas," moving around a battlefield. Bullets are flying overhead, and who do they find in the trenches next to them?
They find a salesperson offering free lunch and a demo on why their solution is the next game-changer.
Don't get me wrong. There are a handful of excellence and point security solutions out there, and I'll talk more about one of them at the end of this article, but can we please stop the incessant noise? Can we change the conversation?
I think the endpoint security industry suffers under product fatigue. Most vendors say the same thing. I've lost track of the number of product "bake-offs" I've performed in our Advanced Technology Center. When we engage with OEMs to interview them on their solution, can you imagine what kind of grades many of them give themselves? They usually come back with straight A's.
It's time to think differently.
For that reason, I have discouraged efficacy testing as the primary way of selecting an endpoint security solution. Sure, go ahead and use it to narrow down the top three solutions you're interested in. However, when you get to that point, you need to turn towards more subjective tests and evaluations. Having a view for a unified approach is where I'm headed.
Here are just a few things to think about when designing and monitoring an endpoint security strategy:
- A company's compliance requirements, if it's a highly regulated industry.
- How mobile its workforce is, especially given the recent turn of events.
- The value and amount of data available via mobile devices.
- Past incident data, including how data flows, the number of attacks mitigated each month and the need for manual intervention.
- The ability to consolidate functionality into fewer endpoint agents.
- Visibility into devices that are currently offline.
- Hidden costs around operating a complex on-premise solution.
- Your team culture. Will they accept a streamlined solution or demand granularity?
None of these things will show up in an NSS Labs test or the MITRE ATT&CK evaluations. But these can make or break your investment. That was just a sampler. Let's now dive into some more personalized advice based on your role in the organization.
For the IT Director: Where to invest
Investing in advanced endpoint security significantly reduces both the probability of a breach as well as the cost impact to an organization if a breach should occur. In the latest Cost of a Data Breach Report from Ponemon, a specific correlation was found between advanced endpoint security solutions and the reduction of the risk and cost of a data breach. The report specifically calls out three functional areas to look at: identification, containment and automation.
"The failure to quickly identify the data breach leads to higher costs. Having tools that heighten detective or forensic capabilities can significantly reduce data breach cost." By how much? The report shows that a breach identified in less than 100 days costs $1.1 million less than a breach identified in more than 100 days.
"The failure to quickly contain the data breach will lead to higher costs. Having tools and processes that heighten remediation capabilities, such as a fully functional incident response process can significantly reduce data breach cost." By how much? The report indicates that a breach contained in less than 30 days costs $1.16 million less than a breach that takes longer than 30 days to contain.
Ponemon refers to security automation as "security technologies that augment or replace human intervention in the identification and containment of cyber exploits or breaches. Such technologies depend upon artificial intelligence, machine learning, analytics, and orchestration." When looking at this factor in the data analysis, "having security automation fully deployed significantly reduces the average cost of a data breach by $1.55 million."
For the Security Analyst: What to evaluate
Your boss will no doubt want to know you've done the research and have a clear understanding of what functionality is needed to defend against modern attackers. Using data from the SANS annual survey on endpoint protection and response as well as their guide for evaluating next-gen endpoint security and guide for replacing AV, we have compiled a list of the most critical capabilities companies should have to handle next-generation threats.
- Minimize false-positive events, which happen when the product blocks access to a legitimate program.
- Provide protection, including identification of new, potentially malicious behavior, with minimal impact on the endpoint user experience.
Protection and detection
- Prevention that stops all types of modern attacks, not just malware; ability to recognize and kill patterns of malicious behavior.
- Access to multiple forms of prevention, including the ability to set different policies for different endpoints, such as remote workers.
- Provide the ability to create, test and quickly deploy policies to improve prevention and reduce false positives.
Data intelligence and analytics
- Pull threat intelligence from multiple sources into a cloud-based intelligence and analytics engine; use this intelligence to identify malicious behavior and increase endpoint protection.
Visibility and context
- Build and customize queries and reports related to endpoint state and activity across the entire organization.
- Reveal the full chain of processes affected by malware/malicious behavior.
- Provide visualization tools, using both graphical and plain language presentations for real-time visibility and retrospective analysis of events.
- Standard and custom integrations with third-party products.
- Consolidated cloud-based management console for all modules.
- Simple deployment, supporting both manual and automated methods of endpoint deployment
For the left-brain number cruncher: What to know
I get it. You're left-brained and proud of it. So I'm going to cut to the chase and give you links to the reports before I start dropping factoids on you.
- Verizon 2018 Data Breach Investigations Report (DBIR)
- Verizon 2020 Data Breach Investigations Report (DBIR)
- Forrester The Total Economic Impact™ of VMware Carbon Black Cloud
Plan for security automation
The most significant cost savings found in the Ponemon Institute's study was that the average cost of a data breach ($3.86M) goes down significantly when security automation is fully deployed. For those organizations, the cost is reduced to $2.88 million. On the flip side, if a company has no security automation, its estimated cost of a data breach goes up to $4.43 million. That's a net cost savings of $1.55 million per data breach by investing in security automation.
Require robust real-time (and historical) visibility
Customers who deployed a unified endpoint security solution, such as VMware's Carbon Black, reduced the need to reimage machines by 90 percent. Why? Because analysts had better access to forensic data coming off the infected endpoints. They could perform a more detailed analysis and subsequent remediation than they could by using legacy AV products, or those siloed as strictly EPP (pre-breach) or EDR (post-breach) solutions. Being able to see data from offline endpoints increased confidence in the results of their investigations.
Demand a strategy to realize ROI
The impending cost of a data breach that hasn't happened yet can sometimes be hard to grasp. Forrester's TEI report addresses this by looking at both the cost of investing in advanced endpoint security, as well as the benefits. In doing so, the report calculated that the companies studied saw a 261 percent ROI and total 3-year benefits of $3.7M.
Do the value estimates on time savings
Effective prevention and detection, comprehensive endpoint visibility and intuitive attack visualizations reduce the time required to investigate and remediate — saving four hours per event per day. A typical number of daily events for an organization to experience is six. However, larger organizations may experience upwards of 40 events per day, which would equate to time savings of 160 hours per day.
Help your InfoSec teams simplify operations
Consolidating to a single agent and shifting to a cloud deployment saved two full-time equivalents (FTEs) per year — eliminating the inefficiencies of maintaining on-premise security solutions like legacy AV, antimalware and EDR solutions.
For everyone: Consider a unified platform
Security today, for the most part, just is not working. Applications are highly distributed, deployed across multiple private and public clouds. Further, they're each likely using different types of infrastructure and accessed from many different devices. Security sprawl is rampant too. There are countless products, agents and interfaces deployed across organizations, which creates further complexity from a security management standpoint.
Today's security should be intrinsic to your infrastructure. Security solutions should be built into the environment that needs protection, not applied as a layer on top. Also, they should use contextual information to help prevent attacks. And they should help simplify management, unifying administrative tools and bringing together disparate security teams.
As you progress with your digital transformation, you might need to modify your approach to security. Traditional solutions are bolted on and overly complicated, requiring the management of too many individual products. An organization might own 70 to 100 security products, each with its own agent and management tool.
Traditional products are also too threat-centric, focused on blocking threats at the perimeter. They're reactive, aiming at what happened yesterday instead of protecting against what is happening today and anticipating what might happen tomorrow. Moreover, traditional products are not sufficiently aware of apps and infrastructure — the very elements they are trying to protect.
Explaining intrinsic security, Sanjay Poonen, Chief Operating Officer, Customer Operations, VMware said: "VMware believes we have to stop adding more and more complexity in an effort to solve cybersecurity challenges, and instead use our infrastructure as part of the solution. In short, we must make security intrinsic."
"VMware is delivering intrinsic security through a comprehensive portfolio spanning the critical control points of security: network, endpoint, workload, identity, cloud, and analytics."
VMware helps customers significantly reduce risk to critical applications, sensitive data and users. Their goal is to turn the industry away from the conventional norms in security of detect, report and respond, and towards this new model that empowers customers to implement security that delivers automated, pervasive and proactive protection to critical assets apps and users regardless of where they reside in the enterprise.
How do these technologies protect each element of your technology ecosystem?
- Network and infrastructure. VMware solutions enable you to protect apps and data across multicloud environments by employing network security policies informed by contextual app and workload information. These solutions control network traffic through segmentation, help ensure more secure network access and inspect network traffic for anomalous behavior.
- Cloud and infrastructure-as-a-service (IaaS) environments. With VMware solutions, you can harden public cloud configurations, strengthening security and compliance with real-time detection and response capabilities for multiple public cloud providers.
- Workloads and apps. VMware technology allows you to wrap security as tightly as possible to each of your apps and workloads, helping to ensure that each is doing only what it should be doing. You can define good behavior: how an app is supposed to interact with the processor, memory, storage, data and network. Then you can automate actions based on behavioral anomalies.
- Endpoints, devices and users. You can harden the posture of devices and factor in the authenticity level of the users connecting to them. As a result, you protect your remote workforce against cyberattacks while leveraging the resources you already have.
Let us help operationalize your strategy and investments in VMware. We'll also get you up to speed on where we see the field of endpoint security and management changing in the coming years.
We encourage you to try out VMware's security solutions in our Advanced Technology Center (ATC), where you can get hands-on experience in a lab environment that's modeled on your own. The best place to start is with Carbon Black's Cloud Endpoint Sandbox Lab (formerly CB Defense) or Carbon Black's App Control Sandbox Lab.
For help with better understanding the tools in your tool belt, check out our Security Tools Rationalization Workshop or connect with me about an executive briefing.
And remember, it's not just the tools that are important — the right people and processes are needed to mature security capabilities and effectively manage endpoints across your business. Even the best tool will fail when paired with bad processes or a lack of resources.
Our security consultants, architects and engineers can build you an enterprise security program that defends against the most pressing risks facing your business. Our experts are experienced in security strategy, architecture and daily defense. They will work with you to make sure your investments further business goals, integrate into architecture and mature your security posture.