Why Converged Security matters: when you add 2-and-2, do you get 4 or 3?

In my previous blog I talked about why Converged Security matters and described four use cases we advise customers to focus on. Today I want to talk about one of these use cases: Augmented Cyber Operations.

If you have ever participated in a sport involving some level of physical contact – let’s say basketball, lacrosse, rugby or football – you surely have sustained an injury or know someone who has. Imagine that after twisting your ankle, instead of heading over to the nearest emergency department you had to go to one hospital to get admitted, then another to get an X-ray, then another to get your ankle in a brace and finally another to get a pair of crutches. Would you feel comfortable about the effectiveness of your treatment?

You might be wondering at this point what this has to do with Converged Security. Consider the following scenario:

The application service account of your production CRM system has been hijacked and is now being used to access and exfiltrate your entire customer database. As a result CPU and memory utilization spike and a user calls the help desk complaining about the slow application. This is our “injury.” What typically follows – all at the same time – is this:

  • The IT Ops team opens a bridge call and domain experts are trying to troubleshoot the problem
  • IT Security is trying to figure out why and how someone is accessing the database from a never-before-seen location
  • Network Ops— in a third operational silo—has detected traffic spikes as gigabytes of data are leaving your company and is wondering what might be causing this

The result is an uncoordinated effort to fix an issue, creating overlap, waste and most importantly perhaps not seeing the forest for the trees – i.e. missing the issue altogether because each is only looking at a piece of the puzzle and not seeing the big picture.

Augmented Cyber Operations can help you avoid these situations.

 

Picture2.png

 

If you think about it, the NOC and the SOC do very similar things. They monitor the environment, they detect issues and they fix them. In theory – perfect candidates for collaboration. Yet the reality is that in many enterprises these are two distinct functional silos. This means that your typical IT environment will have two of everything: 2 discovery tools, 2 monitoring platforms, 2 event consoles, 2 incident processes, and so on. This results in over investment in tooling, skills, support costs, process engineering and more. Bringing the two functions together will eliminate these duplications. But more importantly it will deliver two very important benefits

  1. Economies of scale: it is a more scalable model to train your IT Ops to also handle security events than to have a dedicated team
  2. Better service delivery: with insight into both security and “traditional” IT events you will be able to fix issues faster and provide better availability and reliability

Something simple you could do today, which does not require a massive investment, is integrate your event consoles – enable data exchange between your security monitoring and IT monitoring platforms. Such integration exists out-of-the-box between HP Business Service Management and HP ArcSight Logger/SIEM. This integration allows you to query and correlate data between the two sources. Using the example I previously gave, you could now see whether CPU and memory spikes correlate to suspicious access to your database, or vice versa. You could put 2-and-2 together and actually get four: ensure that suspicious events don’t go undetected and that remediation is fast and to the point.

For more information on how to implement converged security, visit http://www.hp.com/go/convergedsecurity.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation