BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Pervasive security improves on defense in depth by layering security according to risk and assigning it specifically...
to each critical point of your system. In this tip, you will learn more on how pervasive security adds depth, and breadth, to security systems.
The idea of layered security -- defense in depth -- is old and incomplete. Pervasive security takes that idea and expands it. The notion pushes IT to not just have several layers of defense but to layer them according to risk. It then builds on that strategy by placing security around each critical system and data repository and across each critical network nexus.
Pervasive security monitoring yields data
With so many layers of security in place, you get pervasive security monitoring data. And boy, do you ever get a lot! So much so that you strain the seams of (if you've been keeping up already) your SIEM and IDS/IPS tools. And if you haven't been keeping up, you're already ignoring mountains of security logging data. Now you have a whole new range of mountains you'll be ignoring.
More important, you strain the capabilities of these tools. You need these systems to sift through the chaff of security logs to uncover the wheat of actual threats, a function they perform exceedingly well. Then, you need your SIEM and IDS/IPS platforms to help you make bread out of the wheat, turn detection of events into actionable intelligence. Here, these traditional tools are increasingly less helpful. As threats multiply and become multichannel, and as security systems proliferate, SIEM and IDS/IPS products begin to lose the race: To get what you need, you either focus them too narrowly to reduce the overall load or scale them so that it is no longer affordable.
The solution? You need defense intelligence in depth to go with your defense in depth, which creates pervasive security. To deal with the enormous increase in data flowing into your security monitoring platforms, you need to practice layered defense analysis by adding systems (or capabilities) to the mix. Two crucial ones are advanced security analytics (ASA) and user behavior analytics (UBA).
ASA and UBA
ASA systems literally live on top of existing log management and SIEM systems to provide an additional layer of analysis to the stream of alerts and alarms they raise. They are focused solely on navigating through these streams of data to provide IT with actionable knowledge about possible attacks that are of the most concern. ASA is essentially the marriage of big data analytics technique to the security data set. While many large organizations began doing this using homegrown tools, commercial offerings are now coming to market.
UBA systems are a specialized subset of ASA tools. They focus exclusively on users' behavior patterns; they flag changes deemed suspicious. They can, for example, understand why an accountant might be furiously accessing client data at midnight during the last week of the fiscal year, but will flag as questionable similar behavior if it happens on a Saturday in the middle of a quarter. User in this context can include not just humans but also systems that engage in machine-to-machine interactions. This latter aspect can be hugely important in a data center undergoing a transformation to a services or microservices-oriented architecture. In an SOA or microservices environment, systems will be talking to each other far more frequently than they used to, which can make it very challenging for a person to spot anomalies in the pattern of communication. UBA tools can see these things clearly.
By stepping up the monitoring toolset to use layers of analysis to add new levels of intelligence to the automated parsing of security data, IT can again keep up with the flood of data created by adopting risk-driven pervasive protection.
Building a modern network security strategy
How to determine the best network security measures
Network security approaches for SDN