Too many tools and too much to secure! Disintegrated tool sets and no integrated threat intelligence! Complex products and ever-expanding log source integrations to Security Intelligence platform. In the security world, interoperability and compatibility really exist? Many of you may find these so familiar.
According to Forrester, security complexity is now the biggest challenge organizations face. And, in an AttackIQ and Ponemon Institute survey, respondents indicate that organizations use an average of 47 different cybersecurity tools across their networks. Security analysts are tasked with performing one-off, time-consuming, tailored integrations; all the while, cyber threats are rapidly evolving in an expanding landscape. Many CISOs find it difficult to justify ROI for their security investment due to enormous money spent on these integrations.
How do we make all complex Cybersecurity products to work together to provide an effective organization-wide defence? Open Cybersecurity is a new way of promoting security integration and interoperability by adoption of open source and open tooling to facilitate security teams and allow them to better respond to shifts in the cybersecurity landscape. This is a careful choreography of tools, technologies, policies and processes to facilitate open collaboration and integration.
This program entails unified methods for communication of information between the participating organizations for exchange of security related insights. The key building blocks for Open Cybersecurity Security program are;
Data Collection and Architecture: Content Automation Protocol (SCAP) Version 2 by NIST to continuously monitor asset compliance related to various security and privacy standards. This is done through a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results.
OpenDXL Ontology platforms: This is a real time and interoperable messaging format that enables exchange of information between multiple products.
STIX Shifter: STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies. STIX 2 consists of a comprehensive data model that can be used to define many cybersecurity artifacts called STIX observables.
Kestrel: Kestrel threat hunting language provides an abstraction for threat hunters to focus on what to hunt instead of how to hunt. The abstraction makes it possible to codify reusable hunting knowledge in a composable and sharable manner. And Kestrel runtime figures out how to hunt for hunters to make cyber threat hunting less tedious and more efficient.
There are many initiatives and ready- to- use components set up to make security in the era of multi cloud and hybrid cloud less complex and more open. However, security is still locked into ‘tools-driven’ mindset. Here are some of the suggestions to move into more open and interoperable security culture.
- Security is not about how many tools you have, but how many of them are made to the best use. Evaluate your tool chain today and keep the ones that can collaboratively bring useful insights.
- Open Threat Intelligence is the new threat intelligence feed. This helps leverage the power of the entire cybersecurity community to help stop the majority of unknown malware, correlate events across the broadest set of threat intelligence. Leverage threat hunting languages such as Kestrel to focus on what to hunt for and will reduce dependency on threat hunter skills.
- Leverage the power of open security standards, control libraries and security plans to freely exchange means to translate the compliance requirements to easy consumable technical controls. Efforts for customization will be limited to industry specific and domain specific compliance.
- Review enterprise security architecture to provision usage of standardized architecture and application security best practices. This will enable organizations to take best from the open information exchanges such as STIX Shifter and Open DXL otology.
The more fragmented we approach the security problems, the farther we will be from the real threats. Its time to embrace OPEN and UNITED approaches to CLOSE and TIGHTEN the security risks.
Posted By: Lekshmi Nair