Improving Threat Detection Through Integration
The value of cybersecurity tools can be greater than the sum of its parts — but only when they are used collectively in an integrated manner.
- Comprehensive threat intelligence requires a diverse set of cybersecurity tools to keep up with the ever-changing threat landscape.
- But using multiple solutions generates troves of fragmented data that’s difficult for cybersecurity teams to interpret and act on.
- To realize the full value of these tools, they need to be integrated, allowing security professionals to connect the dots and see the big picture.
So many cybersecurity tools, so little time. The amount and variety of the data generated by these tools can be overwhelming. So how do corporate security teams sort through it all to detect and prioritize the threats that matter most?
The obvious answer is to integrate all that data, so all the trees can be viewed as a single forest.
The goal should be to achieve a single, big-picture view that can be analyzed in real time, allowing security personnel to arrive at actionable insights without getting lost in the weeds.
Distributed Threat Intelligence Disrupts the Big Picture
No single cybersecurity tool can do everything, and comprehensive threat intelligence requires a diverse set of security tools to keep up with the ever-changing threat landscape. Yet a 2020 study by the Ponemon Institute found that making use of more tools placed an organization at a disadvantage, and that companies that used fewer threat detection tools were better able to detect and respond to an attack. Less, however, did not always equate to more. The report also found that pooling data from discrete tools can help reduce reporting complexity, and 63% of the high-performing organizations surveyed said that sharing data among tools helped improve their ability to respond to threats.
In other words, widespread, piecemeal data presents problems when it isn’t integrated properly, and even the best threat intelligence tools can be a liability if they’re treated as alert-generating islands unto themselves.
Too Many Alerts Can Prove to be Costly
An increasing volume of alerts is a burdensome reality for many security teams. It’s not uncommon for some organizations to receive more than 100 alerts in a given day — or even ten times that many if they work at a large enterprise. And like the boy who cried wolf, with so many attack notifications they become easy to ignore.
This state of affairs can be very costly. Another study by Ponemon, this one from 2015, found that companies lose an average of $1.27 million a year responding to inaccurate or erroneous alerts. This is in part due to all the time wasted by the cybersecurity professionals who are tasked with parsing through all the noise. In the absence of an integrated solution, it’s like asking them to piece together an oversized jigsaw puzzle without providing a big picture for them to reference. Ultimately, they might be able to do it — but the outcome is less certain, and it will surely take them much longer to accomplish the job.
Even with all the state of the threat solutions at their disposal, when the data is channeled through individual veins, as opposed to a central artery, security teams have trouble keeping their finger on the pulse. Absent a centralized hub, integrated dashboard or similar reporting mechanism, team members have no choice but to bounce from one threat intelligence service to the next. This keeps them stuck in the weeds, unable to discern an attack pattern or how one intrusion might be related to the next. Responding to threats as they occur, they can only react — unable to adopt a more proactive approach that anticipates where the next attack is likely to come from.
Better Threat Detection Relies on Data Integration
With the average time-to-detection of a cyber intrusion being an astounding 56 days, there is small doubt that better threat detection intelligence is needed. Enter SIEMs, SOARs and APIs, which collectively make it feasible to integrate multiple threat intelligence solutions.
Security Information and Event Management, or SIEM, provides a framework for assimilating the inputs from discrete security tools into a single feed. By aggregating and correlating this data, it can spot events that can’t be identified by individual monitoring of individual tools.
Security Orchestration, Automation and Response, or SOAR, boosts a SIEM framework’s capabilities by automating the threat analysis and incident response. But SOAR’s ability to programmatically respond relies on extensive data integration. Hence the need for APIs —especially open APIs — that can accelerate the melding of different cybersecurity tools and their reporting systems.
Using software technologies like SIEMs, SOARs and open APIs, security professionals can tap into the collective power of the best threat intelligence tools available, enabling them to lift their gaze from the trees to the forest.
De bottom line
Given the ever-changing cyber threat landscape, the profusion of threat-detection tools is a necessary evil. Used standalone, these tools can become a liability, since they force cybersecurity teams to flit from one reporting system to the next, often missing the big picture in the process. But by integrating them with approaches like SIEM, SOAR and open APIs, security professionals can connect the dots, spotting threat patterns that would otherwise elude detection.
To learn more about optimizing your security stack, join us for Mimecast SecOps Virtual, a complimentary half-day event of keynotes and breakout sessions taking place January 26 and 27.
 “56% of Large Companies Handle 1,000+ Security Alerts Each Day,” DarkReading