Autonomous cars, smart homes, the advent of the second machine age – my brain had long gotten accustomed to hearing these buzzwords and wondering how these would technologies would affect and shape the cybersecurity industry. But never had the reality of the coming times sunk in for me as much as it did at the Splunk User conference at Orlando last week.
As I watched how machines (security tools) were increasingly sending information to each other and using the additional insight shared to strengthen security postures and even develop responses, it struck me that the second age of the machines wasn’t a far off, some-time-in-the-future dream or a research lab experiment. It is happening now!
Especially if we consider how many vendors, from industry giants to smaller niche players, have already adopted a framework to prepare for all these changes, we can see it is already our reality.
Of course, at the Splunk user conference, every solution featured an integration component into Splunk. But what’s more, the cybersecurity industry has become increasingly tightly integrated, automation-oriented, and open. As I had various interesting conversations on the conference room floor with people using cybersecurity solutions in their day-to-day jobs, or to my peers who are working on creating some of these tools, I made note of a few key insights which will be critical in determining the cyber solution leaders in this approaching new era:
Enhanced Visibility and Context is Key
Visibility and context have long been touted as the holy grail of cybersecurity. The more you know, the better prepared and equipped you are to swiftly tackle threats. So this visibility is no longer limited to providing visibility into applications, protocols or hosts in the network.
It is about enhanced visibility that provides transparency into users, threats, applications and endpoints down to even the processes happening on these endpoints to fully understand and battle threats that may be lurking in your environment. It is about gathering context not from just one source, but from multiple sources to give the most detailed and granular insight into an item of interest, be it a device, a user, a threat or something else.
It is interesting to note how granular contextual information sharing has become over the years. Context around a bad site is not just about location or registrar information. It has evolved to the point of tracking domain, registry or IP history down to information on actual screenshots of a website. Granular and detailed contextual visibility is essential. For network visibility solutions in particular, this means providing insight into the new applications and protocols (custom or otherwise) that the proliferation of IoT devices will bring into the mix. While several solutions provide visibility and pull in context from other tools to bridge the visibility gaps, few are built to seamlessly scale to meet these needs. This will be the crux of impending challenges for solutions in terms of scalability.
Mutually Symbiotic Relationships are Unavoidable
A security solution that works in isolation is doomed to fail. Security leaders must recognize the need to for the various solutions to share information and work in sync to eliminate the visibility and context blind-spots that various solution sets have. It’s not just making space for solutions to cohabit.
Sure, endpoint vendors may have the best insight into processes spawned by malicious files on a device, but they have no visibility into lateral propagation movement from this infected device in the network. Network visibility vendors can provide this, and might be able to cast light on advanced threats that have evaded perimeter firewalls, but of course might not be able to block these threats as a firewall would. Tools are increasingly adopting the strategy of pulling in insight from various solutions, and those with flexible, open APIs which enable real-time sharing of information between various distinctive toolsets are going to emerge the strongest leaders in the cybersecurity solution space.
Automation and Orchestration will be the Norm
“Adaptive response” and “automation” are poised to become a mainstay of the security industry, and showed up in quite a few tool sets showcased at the Splunk Conference. With the proliferation of devices, threats, applications, and users, the data output by security toolsets in terms of events, anomalies, analytics and the like has long ago exceeded that which can be reasonably comprehended or processed by humans in the requisite time.
Eliminating the human element in processing and responding to these threats will be essential to stopping cyberattacks before they happen. In the movie The Imitation Game, while talking about Enigma, Alan Turing famously says “Our problem is that we are only using men to try to beat it. What if only a machine can defeat another machine?”
It is simple to draw a similar analogy with threats. A piece of malware which is simply a piece of software can install, execute, and create call-backs in machine-time. It’s impossible for a human to process and respond in an appropriate time-frame - but not for a machine! Toolsets that only share information but use machine learning and other techniques to process the information and share this information in machine time with other toolsets for automated responses will be the winners in this hypercompetitive space.
Needless to say, exciting times lie ahead for the industry. At the Splunk conference, chatting with industry peers, I felt energized to know that Corvil has made giant strides into this exciting future!