The Three Key Competencies that Optimize Data Security Orchestration

-

 


One of the principal benefits of a modern data-centric security fabric is being able to automatically apply security controls to the data itself and drive policy-compliant data handling behavior by privileged users. But we all know that detecting a security incident is just the first part of the process. If your organization’s response to anomalous behavior is inefficient, the automated detection competency that you have painstakingly built devalues quickly. In this post, we’ll examine why manual change management is not sustainable  in a world of automated incident detection, and why the march to automated security orchestration and event response has been slow. We’ll also explain the three essential functionalities an automated data security orchestration solution must provide to ensure optimized threat remediation.

The evolution from change management to security orchestration for incident remediation

Change management has been an elusive goal for data security programs from the outset, as organizations struggle to reconcile their change management processes with the actual events taking place in their data repositories. The challenge most organizations face when optimizing their orchestration process is how to eliminate bottlenecks in event-level workflow communications. Linking data with decision processes, communicating, and orchestrating security controls end-to-end to take remediation actions has historically been a manual process. Another challenge has been the constant struggle organizations have with database activity monitoring and logging tools that, more often than not, have overwhelmed SOCs with raw and low-value data instead of analytically processed information that would provide valuable guidance on how to respond to anomalous events. Considering the sheer size of today’s data landscape, and that event remediation is an important governance process where improper changes can have serious security and operational impacts, manual processes are no longer sustainable.

To ensure that automated, optimized security incident detection becomes the automated security incident response and remediation process you need, your solution must enable these three competencies:

Gain critical access to data flows from key activity domains

To perform the analysis and interpretation required to automate preventative action and rapid remediation responses to security threats, your solution must enable security architects, security team leads, and CISOs to gain access to data flows from key activity domains (e.g., Sessions/Logins, Exceptions/Errors or Policy Violations) from an unlimited number of sources and make them visible in a single pane of glass so you can see them through a single dashboard. The solution must also enable security teams to run sophisticated, unsupervised analytics engines automatically to respond to predefined events, such as locking out a user when the system identifies a suspicious login.

Create higher value data that results in more intelligent responses

Your automated security event remediation solution should enable your security teams to perform an analysis of enriched contextual data to detect behavioral anomalies like account abuse, code injection, insider threat, etc., and automate remediation responses to prevent future security events.

The solution must provide the capacity for users to join related information such as metadata, vulnerability assessment, discovery and classification, and entitlements from any number of sources to substantially boost the context and improve the value of all data. This results in more efficient automation of data interpretation and processes as well as accelerated communication and faster remediation actions.

Eliminate slow manual processes

The solution should offer actionable threat intelligence through customized and pre-built event-level workflows and User and Entity Behavior Analytics engines (UEBAs) that transform raw activity data into valuable information via unsupervised learning. This intelligence should inform the process and eliminate the need for manual routing and entitlement review processes, report sign-off, trusted connections validation, and change management processes to improve response times and overall communication among stakeholders. Another important function is the ability to optimize security operations integration by eliminating alert storms and high volumes of false positives and improving security visibility. Ideally, your solution will feature out-of-the-box playbooks to automatically manage sensitive data alerts, import assets, run or disable scans, and discover when new data sources are added to the repository. These playbooks should integrate with SOAR systems to prevent security events before they occur and mitigate the damage a prospective breach could cause.

How Imperva Data Security Fabric can help

As we have seen here, it takes automation from end to end to optimize a security solution. Built-in Imperva Data Security Fabric incident response workflow processes turn days of incident management work into minutes. These include reporting signs offs, entitlement review, and change request reconciliation which direct incident management actions to stakeholders, ensuring nothing is missed. Integrations with other mission-critical security and management tools enable automated orchestration between systems. For example, a critical incident flagged by Imperva analytics could trigger a playbook that automatically deactivates the user account in the database, assigning a critical incident ticket to a security analyst in their SOC workflow manager for investigation.

Gain control over security event management

Using data risk analytics, you get visibility into a broad range of events from accidental exposures to persistent attacks by an evasive exploit, so you can quickly evaluate and know what’s happening before it’s too late.

·         Faster problem resolution times

·         Categorize and prioritize by real risks, rather than anomalies

·         Spot bad actors before they cause damage

·         Correct non-compliance issues before audit failures

·         Get clear summaries that explain complex issues in plain language

·         Eliminate false positives, and enable SOC teams to focus on the critical issues


A.L.

 

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Top Five Most Exploited Vulnerabilities in January 2024

-
Image
In January 2024, cybersecurity faced a remarkable surge in threats, with a focus on exploiting vulnerabilities in technologies from leading vendors. This spike in cyber attacks highlighted the urgent necessity for robust security posture and swift responses to mitigate these vulnerabilities.  Below is an in-depth analysis of the most critical vulnerabilities targeted during January. CVE-2023-46805 and CVE-2024-21887:   CISA Warns Against Ivanti Zero-Day Vulnerabilities On January 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding two critical zero-day vulnerabilities discovered in Ivanti products:  CVE-2023-46805 and  CVE-2024-21887.  Assigned CVSS scores of 8.2 (High) and 9.1 (Critical), these vulnerabilities underscore a significant risk to cybersecurity, marked by their capability for arbitrary command execution. This prompted an emergency directive for immediate mitigation within federal agencies, highlighting the...
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especiall...
Read more