I published an article today on the Oracle Cloud Security blog that takes a look at how approaches to information security must adapt to address the needs of the future state (of IT). For some organizations, it's really the current state. But, I like the term future state because it's inclusive of more than just cloud or hybrid cloud. It's the universe of Information Technology the way it will be in 5-10 years. It includes the changes in user behavior, infrastructure, IT buying, regulations, business evolution, consumerization, and many other factors that are all evolving simultaneously.
As we move toward that new world, our approach to security must adapt. Humans chasing down anomalies by searching through logs is an approach that will not scale and will not suffice.
Here's an excerpt:
If you never change tactics, you lose
the moment the enemy changes theirs
While chasing down a domestic terrorist, FBI Agent Will Brody found himself in an unfamiliar and dangerous environment. (Brody is the protagonist in Marcus Sakey's 2017 novel Afterlife.) To survive in its perilous conditions, its residents commit to two simple rules: (1) pull your own weight and (2) only kill in self-defense. These rules have kept them safe from the obvious imminent threats around them for decades. But Brody sees a change happening in the environment that others don't yet see and warns his new community: "If you never change tactics, you lose the moment the enemy changes theirs." His mantra becomes "New World, New Rules." In other words, you must adapt to changing threats or face the consequences.
As Information Security professionals, we find ourselves in a similar situation. Our environment is transforming rapidly. The assets we're protecting today look very different than they did just a few years ago. In addition to owned data centers, our workloads are being spread across multiple cloud platforms and services. Users are more mobile than ever. And we don’t have control over the networks, devices, or applications where our data is being accessed. It’s a vastly distributed environment where there’s no single, connected, and controlled network. Line-of-Business managers purchase compute power and SaaS applications with minimal initial investment and no oversight. And end-users access company data via consumer-oriented services from their personal devices. It's grown increasingly difficult to tell where company data resides, who is using it, and ultimately where new risks are emerging. This transformation is on-going and the threats we’re facing are morphing and evolving to take advantage of the inherent lack of visibility.
Organizations are in varying stages of migration toward this future state of IT where we have massive distribution and where visibility is elusive. But we all seem to be moving in the same direction. So, we simply can't live by the same old rules. We can’t rely on old security techniques. New World, New Rules.
The old SIEM approach won't suffice
in the future state.
Traditionally, security professionals have relied heavily on SIEM (Security Information and Event Management) solutions to track activity in their environments. The SIEMs resided somewhere on the network and collected logs and event information from other network-connected systems and devices. SIEMs measured themselves by their ability to ingest data from anything and everything on the network. But SIEM users have struggled to translate that event data into actionable intelligence. In many cases, because of the enormous quantity of event data and the inability to parse it quickly and efficiently, SIEM solutions became forensic tools; used after-the-fact to research what may have happened after a breach was detected. The old SIEM approach won't suffice in the future state.
Although many organizations report struggling with the complexity and cost of SIEM solutions, the SIEM market continues to expand. This is because the need for visibility has only grown more urgent with increasing regulations and more aggressive and sophisticated attack techniques. But you want more. Traditional SIEM approaches aren't enough. There simply aren't enough hands-on-deck to rely on manual processes for investigating event data or identifying on-going attacks.
The technologies that have exacerbated the
problem can also be used to address it
Here's the good news: The technologies that have exacerbated the problem can also be used to address it. On-premises SIEM solutions based on appliance technology may not have the reach required to address today's IT landscape. But, an integrated SIEM+UEBA designed from the ground up to run as a cloud service and to address the massively distributed hybrid cloud environment can leverage technologies like machine learning and threat intelligence to provide the visibility and intelligence that is so urgently needed.
Machine Learning (ML) mitigates the complexity of understanding what's actually happening and of sifting through massive amounts of activity that may otherwise appear to humans as normal. Modern attacks leverage distributed compute power and ML-based intelligence. So, countering those attacks requires a security solution with equal amounts of intelligence and compute power. As Larry Ellison recently said, "It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers."
But to effectively secure the future state, you need more than a SIEM designed for cloud. Here are a few other innovations that we should demand from our security platform:
- Application Topology Awareness: Detect multi-tier application attacks and lateral movement indicators. Alert application owners not server administrators.
- Threat Stage Awareness: Map potential and in-progress threats to well understood attack stages to provide better contextual data on how to respond. See developing threats before they happen.
- Data-Deep Visibility: Detect data access anomalies for any user, database or application.
- Broad Data Capture: Don't rely solely on security logs. Leverage operational logs, threat feeds, embedded reputation data, and more.
- User Attribution: Report the identity even if the user context is missing via composite identity awareness and rich user baselines.
- Configuration Change Awareness: Inject configuration drift context into threat detection.
- Orchestration: Respond to threats immediately and with precision via REST, scripts, or 3rd party automation frameworks.
Obviously, we're writing about this for a reason. These features are built into Oracle's Security Monitoring and Analytics service (SMA). When we say that our SIEM was designed from the ground up for cloud, we're not just talking about the product architecture. We're talking about its features and functionality. It was designed to address the complexity and peril of distributed cloud environments. It was designed to secure the future state; to be the new rules for the new world.
SMA is built on Oracle’s unified platform for future-state security that also includes Identity, CASB, and Configuration Compliance. It was built 100% in the cloud to address the security needs of hybrid, multi-cloud environments. Traditional SIEMs lack Identity, CASB, and Configuration Compliance functions. And they typically only layer UEBA on top of their legacy SIEM architecture. They lack advanced features like data-deep visibility, user attribution, orchestration, and awareness of threat stages and application topology. Leveraging these innovations, Oracle's approach enables shorter investigations and faster response times while accommodating for all the complexity of the future state.
Oracle simplifies management and
security for the future state.
And, to top it off, Oracle's security services are built on Oracle Management Cloud which, in addition to security, provides a single pane of glass for IT monitoring, management, and analytics. Oracle simplifies management and security for the future state, reducing cost and effort, and providing richer intelligence across increasingly complex environments.
Learn more about how Oracle is addressing these security concerns and incorporating machine learning into adaptive intelligence by reading our whitepaper, "Machine Learning-Based Adaptive Intelligence: The Future of Cybersecurity."