No matter how secure you think your messages, transactions and stored data are, they can still be hijacked. You just don’t know how or when yet.
Enterprise security has become infinitely more difficult to achieve. Cybercrime is growing at the same pace and sophistication as evolving technologies within digital business, including those undisclosed computer-software (“Zero-day”) vulnerabilities in systems, applications, data and networks that hackers love to exploit. New types of infiltration are driving the need to observe all kinds of behavior in order to detect subtle patterns, not just obvious threats. And in this rapidly changing world of digital business being transacted between multiple parties over multiple networks, it’s becoming increasingly difficult to understand risk profiles without established analytical models and machine learning that leverage artificial intelligence to more quickly discern and mitigate threats.
All of these forces and more frequent cyberattacks make threats harder to detect and also harder to adjust and react to. Often manual, piecemeal tactics are applied in an effort to react to “surprise” vulnerabilities, making security more complex. The bottom-line is that the level of security intelligence required today to capture the increasing volume and variety of security information goes well beyond the capabilities of yesterday’s IT infrastructures.
Today’s demand to handle billions of alerts from millions of security information collection points in a dynamically and rapidly changing environment requires a new class of digital security analytics that offer greater sophistication in security intelligence, and exceed the capabilities of legacy IT and security infrastructures. These challenges include:
- Poor visibility into edge activity limits the types of security data that can be collected.
- Analyses and reaction times to geographically dispersed threats can be delayed by backhauling traffic to centralized security analytics, increasing the likelihood of significant damage.
- Building the infrastructure required to conduct large-scale, deep data analytics can surpass today’s security organizations’ skillsets, given the rapid technology changes in this problem area.
- Building analytics in a single cloud is insufficient. Analytics must be built out across mobile and business ecosystems. Otherwise, it’s like locking only a single room in a house and expecting everything to be protected.
- Different geographic regions have different threat vectors, regulations and profiles that require different tools, analyses and responses. Not all SIEM solutions fit all requirements.
- In-depth defense requires end-to-end security analytics at all levels of the environment you’re trying to protect. However, these solutions are often siloed and not integrated, which means that companies cannot always catch subtle and complex behaviors that represent looming threats. This can result in what are often interrelated alerts being reported separately, with no connection made as to their combined significance.
Moving security analytics and logging to the digital edge
Many organizations have moved IT infrastructure and security controls and analytics to the edge via an Interconnection Oriented Architecture™ (IOA™) strategy. An IOA framework leverages proximity between and among security controls and the users, data, applications and SaaS, cloud and network services they monitor. Specifically, the strategy allows you to place your private colocated, cloud-based, or SaaS security analytics closer to the data that is being collected within security inspection zones.
When you place analytics at the edge, between clouds in the inspection zone, it becomes easier to receive alerts about any flow that traverses the boundary control and inspection zone from all directions. Further, the approach allows you to keep much of your deep packet inspection and analysis capabilities local, via the cloud, eliminating the need to backhaul security analytics data over long distances. This slashes security analysis latency, improving response time for threat identification and remediation.
The strategy also incrementally improves your inspection capabilities through all levels of the OSI stack while applying evolving models and analytical intelligence. At the same time, you can tailor each security edge point to spot relevant local threat vectors and regulations, and render the enormous volume of information to be analyzed. This is a much more manageable approach to handling a massive influx of security data and avoiding alert fatigue and high-risk breaches.
Deploying an edge-based security analytics and logging strategy
When you implement the steps described in the IOA Security Analytics and Logging design pattern, you use direct, high-bandwidth, low-latency interconnections to access and scale security ecosystem (i.e., cloud, SaaS) analytics solutions. You can also manage and move large volumes of data faster, while observing all localized interactions between all parties in a distributed and scalable manner.
More importantly, you gain the ability to:
- Provide real-time risk position and trend analysis as decision support for your security roadmap backed by data, and stop investing in ineffective practices.
- Act on, or respond to, the delivered insights more quickly to avoid a significant data breach or intrusion.
- Observe all kinds of behavior to detect subtle pattern shifts, not just obvious threats.
- Spot zero-day vulnerabilities and close the gaps before hackers can exploit them.
The IOA Security Analytics and Logging design pattern (see diagram below) lays out the following step-by-step process for edge-based analytics.
Security Analytics and Logging
- Plan where your data will be aggregated and how it will be accessed.
- Inventory your real-time event processing and data sources/logs (e.g., boundary, inspection, end-point) currently available or planned.
- For each of the network segmentation classes of traffic, plan out the initial behavioral analytics models and the process for tuning them.
- Apply hybrid (on-premises and cloud) infrastructure security services in the isolated, closed circuit environment using boundary controls, and do not allow logging repositories to be changed. They should be immutable, and false logs should not be entered either.
- Observe the known “good” state to learn normal behavior for anomaly detection.
- Run your own penetration, vulnerability and behavioral tests to tune the models.
- Integrate security policy enforcement for real-time response to attacks.
Learn more about these and additional procedures by visiting the IOA Knowledge Base, where you can find vendor-neutral blueprints that take you step-by-step through the right patterns for your architecture.
This approach allows security and risk management to be enablers of digital business, not barriers or detractors, and offers the following benefits:
- Your business’s security position will be more visible and better understood, as it is observable and policy-controlled with machine learning.
- Capacity issues are buffered by expansion into cloud services and can in the future be mitigated in real-time, as models and policies learn that behavior.
- You can achieve an optimal mix of real-time event processing and situational analysis.
- Skillsets and innovation can be easily sourced from an ecosystem of various security services.
- New business models and cloud services can be activated and updated seamlessly with full protection. SaaS solutions enable faster data logging, processing, analysis and insights into trends and immediate threats on a global and regional basis.
As previously stated, the environment is constantly changing and this architecture embraces change since all the traffic comes back through the control points.
Read the IOA Playbook, and start securing your digital business from the data center out to the digital edge.
If you’re ready to begin architecting for the digital edge now, contact an Equinix Global Solutions Architect.