How to Design Your Security Integrations
A Mimecast product manager shares tips for integrating best-of-breed tools via APIs to more quickly identify, analyze and respond to threats.
- Planning is key to successful integration, starting with defining your goals.
- If you don’t have precise goals at the outset, collect a broad range of data that you can search to identify patterns and problems.
- Gain a clear understanding of each of your security tools’ capabilities and limitations.
- Focused dashboards and careful data integration can help reduce analytical effort and time-to-value.
In a rapidly evolving threat environment, effective cyber defense requires a diverse set of focused, best-of-breed security tools. Integrating those tools is key to faster threat identification and response, helping security teams do more with less and enabling the organization to get the most from its security investments.
Mimecast is strongly committed to this approach, which is why we provide pre-built API-based integrations with other leading products as well as a comprehensive set of open APIs that customers can use to integrate products themselves. My role involves building those integrations — and in this blog post I’ll share best practices and insights that I’ve learned from that work, with the goal of helping other organizations integrate their security tools as quickly and effectively as possible.
5 Best Practices for Integrating Security Tools
Planning is key to success. That’s the overarching practice to keep in mind as you read the five tips below — the one to rule them all, if you will. Even though you may feel pressured to deliver results, it pays to start out by defining your objectives, gaining a clear understanding of each tool’s integration capabilities and limitations, and thinking about how you’ll combine and analyze the data from each tool. These five best practices cover each step in the journey.
1. Define Your Goals
Think about why you’re embarking on this journey and what you want to do. Are you looking to surface threats earlier? Are you seeking to gain an overview of your entire environment? Defining your goals will help determine exactly what data you need to collect and how to analyze it. Sometimes the immediate need is driven by a specific recent event, such as the compromise of a senior executive via malicious email. Pinpointing the problem may require collecting and analyzing logs from previous days or even weeks to identify the source and extent of the threat.
2. If You Don’t Have Precise Goals, Collect a Wide Range of Data
Realistically, it’s not always possible to define precise goals at the outset, even if you have a broad idea of what you want to do. Sometimes specific problems, patterns and potential solutions only become apparent once you start analyzing the data. If that’s the case, go wide: collect logs or other datasets from multiple sources so that you have a broad set of data for analysis. Here are some of the most useful data sources:
- Security Information and Event Management (SIEM) systems
- Security Orchestration, Automation, and Response (SOAR) systems
- Email audit logs
- Endpoint security logs
- Tools focused on specific problems like impersonation attempts, malicious attachments, and malicious URLs, such as Mimecast’s Targeted Threat Protection products.
- Data Loss Prevention logs
Once you’ve pulled in this information, you can start analyzing it for patterns and anomalies. In turn, the analysis can then suggest useful visualizations and actions. For example, multiple failed login attempts may mean attackers are attempting to hack into someone’s account. Once you’ve revealed that pattern through analysis, you can create detection rules and visualizations to capture and highlight similar attempts.
3. Make Sure You Have Adequate Documentation — and Read It!
It’s vital to get a clear understanding of each tool’s capabilities — and its limitations. So make sure you have adequate documentation for each product you’re trying to integrate, and read it thoroughly. That may sound obvious, but I’ve come across quite a few cases where integration efforts were hindered by problems that could have been identified by a closer reading of reference manuals. Some common problems and tips:
- Transferring data between products is not always simple. Different tools present data in different ways, and it’s often necessary to map data to a new schema.
- Be aware of product limitations. Some tools limit the number of rows in table views; some lack alerting capabilities.
- Make sure you’re aware of product features that affect the use of APIs. For example, Mimecast, like some other companies, applies rate limiting to prevent excessive API calls and ensure good performance.
- Don’t make assumptions about the meaning of numbered error codes and messages, even if you consider them standardized. An error code number may mean one thing to one (or many systems), but still be used differently by another.
4. Focused Dashboards Help Pinpoint Problems
When visualizing data, it’s often better to create several dashboards — each containing a curated set of visualizations focused on a specific area — instead of a single, all-encompassing dashboard. Mixing unrelated data within a single dashboard can be confusing and obscure the information that the dashboard is intended to convey. For example, when building a dashboard to track problems with users clicking on malicious URLs, it usually doesn’t make sense to include authentication logs, because authentication history doesn’t help you understand which URLs are the most problematic or which users have the riskiest behavior. Instead, use the URL dashboard visualizations to highlight malicious URLs that you need to deal with, and track the frequency at which users attempt to access those URLs. Someone who repeatedly clicks on a malicious link represents a bigger risk than someone who only clicks once.
5. Be Careful When Integrating Data — and Identify the Source
It’s often better not to aggregate data from many tools into a single database for analysis, because it can make searching the data much more complex. If you do combine data, add a custom field that identifies its source. Otherwise, the increased complexity can mean that it takes longer to get value from the data — which also means that the analysis consumes more of the organization’s scarce security resources.
The Bottom Line
Integrating best-of-breed security products via open APIs is critical to faster threat detection, analysis and response. These best practices aim to help you integrate security tools quickly and effectively to meet the ever-evolving threat landscape.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!