Throughout human history, we have been developing weapons and defenses in a constant cycle – from the first spears and shields to bombers and anti-aircraft guns. This mentality has carried over to the information age, and we're now locked in an escalating war of information with cyber criminals. For every new tactic they use to attack businesses, we develop a defense. The result is that we now have a complex series of defensive technologies that are being maintained by different people in different operating groups. Firewalls, anti-virus, secure gateways, data leakage protection – we've developed separate solutions to defend every point of the data stack. But this creates visibility problems, and no one person is able to keep up with everything. Often, different people within an organization manage patches, network security, application security and other aspects of security. The information we get from all of our safeguards is fragmented, and we find ourselves making decisions based on incomplete information. We have a wealth of data, but little true knowledge of how to put it to use to protect the enterprise.
SIEM and its limitations
In order to take a step back and see the whole picture of our risks, many organizations look to security information and event management (SIEM) solutions. SIEM tools can help bring together the data generated by siloed security measures to provide better visibility. But there are limitations to what SIEM can do.
While SIEM provides essential intelligence, it's event-driven, relying on incidents to generate information rather than working proactively. Moreover, when an incident does happen, it's unable to take any action, which means we still find ourselves relying on manual procedures. This increases the resource demands on IT, and potentially leaves the organization exposed if problems are not dealt with quickly enough.
Today's CISO has two main needs. The first is the ability to understand risks in the context of the business itself. This means we need complete visibility into every level of the data stack, from end to end, with the ability to bring all the resulting data together in a comprehensive way. The second need is to be able to take that complete picture and convert the information into meaningful action that will reduce these specific risks.
“ we must continue to dramatically evolve and reshape our information analysis capability...”
Current SIEM solutions help with the first need, but they don't help generate action or overcome the problem of such discrete security solutions. It's time for vendors to take note of the needs of businesses today, and offer not only comprehensive risk understanding but the ability to drive operational processes that minimize the need for manual intervention. This is particularly timely given the information eruption due to the array of security data coming at us at warp speed from all angles. We've reached a true inflection point in the security space that requires new thinking and new approaches to mature the industry to a point of operational excellence, rather than block-and-tackle defenses.