An ever changing perimeter?

Over the past few years we have seen the commercial threat landscape evolve from simply combating network penetration over a defined perimeter (the foundation of many organizations’ traditional security programs), to an ever widening, cloud-based, SaaS driven, geographically disperse, distributed cluster of disparate services.

No wonder we keep hearing that ‘the perimeter is dead’ across the IT security marketplace.

Of course this isn’t completely true. Afterall, poking holes in traditional gateway protection, looking for new network infrastructure vulnerabilities certainly isn’t dead. In fact, with 53% of threat vectors categorised as direct hacking last year[1], serious vulnerabilities to infrastructure continue to hit the news[2].

 

The challenge of gaining visibility

The traditional perimeter is clearly nothing to be neglected – and, if we are following this logic, there certainly appears nothing wrong with the traditional view that this should still remain one of the foundations of most information security programs.

The real challenge is more that the perimeter has evolved to mean more than just network infrastructure and gateway protection.

Digital Transformation digital risk management

 

It has been effectively carved up into a sort of constellation of mini-perimeters, each with its own separate and distinct set of security challenges, not least of which is just gaining visibility into what and where our company assets are stored and most importantly – maintaining visibility.

The perimeter has evolved to mean more than just network infrastructure and gateway protection. Our Digital Risk Protection solution, SearchLight, continually monitors the new perimeter across the open, deep and dark web –  for risks to your business. These include:

  • Detecting exposed data – exposed credentials, sensitive business documents, and customer details
  • Securing your brand online – spoof domains, mobile applications, and social media profiles
  • Reducing your attack surface – vulnerabilities, open ports, and weak certificates

 

Maintaining visibility: Information Flow

Part of the solution of gaining and maintaining visibility has been to turn to Security Information and Event Management (SIEM) solutions, where possible backed by equally impressive Security Orchestration, Automation and Response technologies (SOAR) the feature sets and capability of these often overlap. And we are not the only ones who think so:

Maintaining visibility

 

According to Gartner, “by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations[3]”.

With the ever-expanding threat landscape and rising mitigation costs, it is even more critical to detect and remediate threats quickly and effectively. However, security organizations struggle with the volume and lack of context provided by many event sources – powering the SIEM and SOAR solutions – and require additional threat intelligence to make the best decisions.

 

Maintaining visibility: Rapid Turnkey Integration

Indeed these technologies enable businesses to take advantage of inputs from a variety of sources, leverage effective turn key integrations, and deliver workflows designed to deliver effective security outcomes – thus reducing operational friction within security operations to deliver operationally effective threat reduction and response

Once properly embedded and established within the organization via both SOAR and SIEM integration,  we can leverage our pre-built integrations using our REST API to deliver a range of functionality including:

  • All alerts that target the customers organization for triage and response
  • Full context provided with each alert
  • Alert specific playbooks and recommendations

Technology partners Digital Shadows (now ReliaQuest)

 

This is why we at Digital Shadows (now ReliaQuest) offer our customers an unlimited number of API integrations.

For example, our SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service integrates with Splunk Enterprise and Splunk Enterprise Security, enabling security teams to correlate alerts, ingest the latest threat intelligence, and gain real-time context from the open, deep, and dark web. This streamlines incident processing, increases your effectiveness, and saves you time.

Here’s a quick video to learn more:

We support many other integrations including Micro Focus ArcSight, IBM QRadar, Anomali, and Phantom just to name a few. You can check out our full list of integration partners here.

 

Integration Driven Automation

For those wanting to automate their responses, we offer out of the box integrations with SOAR Solutions such as Phantom Security and Demisto. Many vendors will offer workflow or If-this-then-that(IFTTT) capabilities that allow the user to digitize their standard operating procedures. There are some products/vendors in the orchestration group that may not have historically included an orchestration capability. However, many of them are now (or will soon be) offering orchestration and automation capabilities either natively or as part of an extension to their main platforms.

Another example of the power of automation is our direct integration with Mimecast email security to proactively protect your employees from known domains posing a phishing risk, reducing the likelihood of successful phishing attacks .

Mimecast analyzes incoming emails to assess risk and protect your users from phishing attacks. Combine this with SearchLight’s  domain impersonation capability, and you are able to block incoming emails from within Mimecast – all automatically.

 

Integrations and Operations in Context

Today we are facing an ever-growing landscape of threats and a continued lack of solutions or people to prevent them. This is why the quality of the types of alerts across the new disparate perimeter is so imperative –without context, threat intelligence is rarely anything but additional noise!

If you’re interested in learning more about operationalizing your threat intelligence, check out our blog, ‘How to Operationalize Threat Intelligence: Actionability and Context’.

[1] Verizon Data Breach Investigations Report (DBIR), Verizon, 2019

[2] ‘Hackers probe Citrix servers for weakness to remote code execution vulnerability’, CNET, 2020

[3] Market Guide for Security Orchestration Automation and Response Solutions, Gartner, 2019