Many solutions are capable of identifying potential threats and establishing relative severity, however they are often limited to a single source of knowledge, which means IT has to manually investigate each individual event, policy violation or otherwise suspicious activity. Not only is this process time consuming, it is also costly and prone to human error in the face of the high volume today’s complex threats.
As a result, enterprises are supplementing traditional anti-virus (AV), intrusion detection/prevention (IDS/IPS), and security information and event management (SIEM) systems with advanced malware detection (AMD) platforms, threat intelligence feeds, and even “big-data-for-security” solutions. While these products are effective at detecting suspicious activities and threats, they’re often limited in their ability to prevent what they find from having an impact. Typical shortcomings include having insufficient context, limited enforcement capabilities, and/or lack of coverage.
Insufficient context. Existing solutions are often limited to a single source of information, dependent on an individual event, policy violation or otherwise suspicious activity. In such cases, there often isn’t enough contextual information to verify a threat or to elevate the potential threat to a higher priority.
Limited enforcement capabilities. Many threat detection solutions are designed to only discover threats, making them passive by design. Those that may have detection and prevention capabilities are often deployed in ‘tap’ or ‘span’ mode to minimize network architecture changes or the impact on network performance, effectively removing them from inline protection against detected threats. Therefore, any containment or remediation steps require a time consuming, manual process.
Lack of coverage. Even if a solution has sufficient context and the ability to enact an appropriate response, a third limitation involves the scope of that response. Can the solution enforce containment on more than one device type or across multiple locations? How much manual intervention is needed by the security team to re-configure hundreds of firewalls and proxies in a multi-vendor, geographically diverse network environment?
In addition to solution limitations, IT security teams have to be thoroughly trained to work with a complex security environment, which means workflow needs to be distributed properly for the best outcome.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.