Blog

Security Tools, Assemble!

Hanna Mathai

By Majid Ahmed Khan, Director – Architecture & Platforms, MSS

3 min to read
Security Tools, Assemble!

In the world of cybersecurity, we often talk about the increased complexity of attacks on enterprises and critical infrastructure. There are various ways we, as cybersecurity professionals, recommend tackling these complex and motivated threat actors. One such aspect is getting our technologies to talk to each other and elevate our level of security implementations.

In this section, lets discuss the importance of integrating different security technologies to uplift the value of our investment and enhance the overall security posture.

I would like to do this by drawing analogy to superheroes – like I always do! Security technologies deployed in our environments are like superheroes, with each having a superpower to prevent, detect or respond to a particular type of attack – like WAF protecting the web applications, web security proxy watching out for outbound traffic, stopping malware from coming in, endpoint security protecting our endpoints etc.

While being in their siloes, they are doing their much-needed job i.e., protecting our infrastructure. However, when the enemy is advanced and powerful, we have seen the need of superheroes to come together and save humanity (remember Avengers).

Maybe I have taken the analogy a bit far, but in order to prevent complex attacks when time is of essence, we need “superheroes” in our infrastructure (AKA security technologies) to talk to each other, share outcomes of their detection with other technologies so they can better use their superpower i.e., capability to detect and stop or contain the attack.

Regarding the effective use of these integrations, this could either be achieved by directly integrating the technologies using APIs or using separate integration technology in between like SOAR (Security Orchestration, Automation and Response).

I would like to share one such effective example of integration that we have had experience in building using EDR (Endpoint Detection and Response), Sandbox, SIEM, TIP (Threat Intelligence Platform) and other security technologies:

  1. We set up a rule on EDR that whenever it notices an unknown binary being executed on any machine, it will push the file to sandbox technology for detonation.
  2. Sandbox technology will detonate the file and push the verdict back to EDR solution.
  3. EDR then records the verdict in its database to refer for future use, and with time we will have reputation of each and every binary in the environment.
  4. Certainly, if the verdict by sandbox was bad or risky, it will stop execution of those binaries, and will also push a notification to SIEM solution.
  5. SIEM will trigger an alert notifying the analyst about this detection.
  6. The verdict of bad reputation is also automatically pushed to TIP and is added as a high confidence IoC.
  7. On TIP, this is now available, which means it can now be distributed across any technology integrated with TIP in that environment, like a firewall, proxy etc.

While it’s a bit complex to set this all up, but once you do it, you would realize that all above mentioned steps are henceforth, perfectly planned to be executed with zero human intervention.

All progressive security vendors understand the need for integrations, hence you will notice that making APIs available for technologies to integrate is an essential feature with most vendors today – but we still fail to utilize these capabilities often. This is where we as Help AG can help our customers.

At Help AG, whenever we are speaking to a new potential vendor to partner with, one of our important evaluation criteria is to understand what kind of APIs / integration this technology supports and how well it will integrate with other technologies in the overall cybersecurity technology ecosystem of enterprise environment.

To summarize, we need to work towards getting full potential of our security investment by integrating different security vendors. This could be by either sharing intelligence, blocking an identified bad file, or deleting an already delivered email – the possibilities are limitless!
Or you could simply sign up for Help AG’s services to do this for you!

Share this article