The Six Tenets of Integrated Threat Defence

Source : Cisco

Detection and Response Framework

This “detection and response” framework will make possible a faster response to both known and emerging threats. At the core of this new architecture will be a visibility platform that delivers full contextual awareness and is continuously updated to assess threats, correlate local and global intelligence, and optimize defences. The intent of this platform is to build a foundation that all vendors can operate on and contribute to. With visibility, there is more control, which leads to better protection across more threat vectors and the ability to thwart more attacks.

Richer Network and Security Architecture

A richer network and security architecture is needed to address the growing volume and sophistication of threat actorsThe traditional model for security has been “See a problem, buy a box.”But these solutions, often a collection of technologies from many different security vendors, don’t talk to each other in any meaningful way. They produce information and intelligence about security events, which are integrated into an event platform and then analysed by security personnel

An integrated threat defence architecture is a detection and response framework that offers more capabilities and supports faster threat responses by collecting more information from deployed infrastructure in an automated, efficient manner. The framework observes the security environment more intelligently. Instead of just alerting security teams to suspicious events and policy violations, it can paint a clear picture of the network and what’s happening on it to help inform better decision-making around security.

Integrated Threat Defence Architecture

Threat Landscape

Best-in-class technology alone cannot deal with the current—or future—threat landscape; it just adds to the complexity of the networked environment

Organizations invest in “best in class” security technologies, but how do they know if those solutions are really working? The headlines about major security breaches over the past year are evidence that many security technologies aren’t working well. And when they fail, they fail badly.

A proliferation of security vendors offering best-in class solutions doesn’t help to improve the security environment unless those vendors offer radically different not just slightly different solutions from those of their competitors. But today, there are no stark differences in many offerings from leading vendors in most core areas of security.

Encrypted Malicious ActivityMore encrypted traffic will require an integrated threat defence that can converge on encrypted malicious activity that renders particular point products ineffective

There are good reasons for using encryption, of course, but encryption also makes it challenging for security teams to track threats.

The answer to the encryption “problem” is to have more visibility into what’s happening on devices or networks. Integrated security platforms can help to provide this.

Open APIs

Multivendor environments need a common platform that provides greater visibility, context, and control. Building a front-end integration platform can support better automation and bring better awareness into the security products themselves.

One Platform

An integrated threat defence architecture requires less gear and software to install and manage.

Security vendors should strive to offer platforms that are as feature-rich as possible and that offer extensive functionality on one platform. This will help to reduce the complexity and fragmentation in the security environment that create too many opportunities for easy access and concealment for adversaries.

Automation and Coordination

The automation and coordination aspects of an integrated threat defence help to reduce time to detection, containment, and remediation

Reducing false positives helps security teams focus on what matters most. Contextualization supports a frontline analysis of events underway, helps teams assess whether those events require immediate attention, and can ultimately produce automated responses and deeper analytics