5 Ways Your Security Tools Are Failing You

By Paul Kaspian ·

In this guest post from IBM, Paul Kaspian, Senior Product Marketing Manager, joins us for a look at a few ways the complex, disparate and dated security tools we're using may be failing us.

We have witnessed a dramatic shift in the nature of enterprise security in the last 10 years. The individuals who are attacking our networks are no longer curious college students, but highly sophisticated professionals working within well-organized teams. The sheer number of vulnerabilities has continued to remain a major challenge, while the attacks exploiting these vulnerabilities are constantly changing in order to circumvent security measures.

Over the years, we have encountered “the next big threat” seemingly every year and raced to put additional security protections and technologies in place to combat it. The end result is a complex set of disparate and dated tools which might not be up to the task at hand. Let’s take a look at a few ways the infrastructures we have created may be failing us.

The technologies in your environment are too static.
One of the shifts that has taken place is the rapid mutation of attacks and attack techniques. As a result, many traditional “static” security protections such as signature-based antivirus and IPS have failed to keep pace. The amount of time needed to sufficiently research a new attack, write and test a signature, and then deploy that signature is an overhead that we can’t afford. We need technologies that are not only rapidly updated, but are capable of stopping attacks never seen before. We are starting to see the emergence of behavioral-based technologies that are more effective with minimal false positives. These types of technologies should be slowly replacing your traditional static methods in the areas of intrusion prevention and anti-malware.

Your infrastructure is poorly integrated.
In our efforts to keep up with the next big thing in security, we have created an infrastructure that consists of dozens of point solutions from many different vendors. Vendor diversity can be a good thing for your security posture, but many of us have created a problem I refer to as “security sprawl” where our security infrastructure has outpaced our ability to successfully integrate it and utilize it effectively. It is critical that we effectively integrate various technologies in our security arsenal in order to have a fighting chance of detecting multi-faceted threats such as APTs. It is also a critical component in allowing us to sufficiently manage our own security given a finite amount of resources. Organizations today should be looking for integration points between their different security protections to make them more effective and manageable.

You lack actionable intelligence and information.
The problem of poor integration also creates another inherent problem. The data being generated from the totality of our different security tools is overwhelming. Security has truly become a problem of Big Data. The sheer number of events and data being generated from our firewalls, IPS sensors, etc. would take a dedicated team of people to have any hope of keeping up (with debatable results). If you can’t understand what your security tools are telling you or what to focus on, you can’t take action. We need a way to boil all of our security data down to the events that really matter. This way we can actually take action to improve our security and make adjustments and improvements as needed. The focus here should be creating higher level “dashboarding” that can provide you with meaningful information.

You are unable to measure your security effectiveness.
You’ve spent hundreds of thousands or even millions of dollars over the last several years beefing up your security posture. Everyone on your team has been trained, certified and everything is actively deployed. How effective are these tools? Has your security gotten better or worse? What gaps do you have in your current security posture? How do you measure security effectiveness?

Unfortunately, many tools you are using may be providing you with a false sense of security. Just because a particular tool is not alerting at the moment doesn’t mean that you are not under attack. It is critical that you continue to audit your security posture both internally and externally using third-party penetration testing. This should be an ongoing process to ensure your tools and technologies are really doing what you intended them to do.

Your tools do not support an emergency response plan.
In terms of security best practices, having a sound emergency response plan is a must have. A good emergency response plan should clearly outline the steps that will be taken in the event of a security breach. In addition to this plan, your security tools should support you with the right amount of data and forensics capabilities. This goes back to the idea of having “actionable” data. In this case, that means detailed intelligence on what exactly happened, what data was accessed, whether or not that data was exfiltrated, and so on. Even if your emergency response plan includes the help of a third-party, internal tools and technologies should support your own investigation and also provide your third-party vendor with a head start on the forensics and investigation they will perform for you.

We know security will continue to change and our approaches as security professionals will require continual change to meet future challenges. This requires both short-term planning and response and long-term planning and strategic investment. Many times this will require us to reinvent our approach to ensure we are prepared for threats we are encountering today, as well as threats in the future.