Why consolidation and automation should top your cybersecurity list

10 March 2022

By Tim Wallen, regional director, UK&I, LogPoint

By Tim Wallen, regional director, UK&I, LogPoint

Traditionally, those charged with responsibility for cybersecurity, invest in best-in-class products from leading vendors to shore up the vulnerabilities that they perceive pose the greatest risk to their organisation. So, one year it could be a new EDR capability and the next year a sophisticated intrusion detection system for advanced attacks. And so, it goes on. It’s got to stop and here’s why.

With all the security products organisations have installed (up to 70 different solutions in some cases), and the dollars they have invested, they still remain vulnerable to cyberattack. And their security operations struggle to mount efficient an effective response. Colonial Pipeline, Brenntag, JBS Foods and AXA have all fallen victim to ransomware attacks in the past year even though they probably had a multitude of cybersecurity defences in place.

Buying more solutions doesn’t solve the problem. With enabling technologies maturing, more organisations should look to move away from best-in-class point solutions to take up a more holistic and consolidated approach to cyber hygiene and cybersecurity.

Having the best cybersecurity solutions isn’t necessarily right for everyone. Take those that fall into the mid-tier category for example, thousands of them lack cybersecurity resources and maturity. They constantly struggle to justify their cybersecurity budget and see significant improvements in efficiency or a reduction in organisational risk from their investments. And even though some can afford best-in-class tools they don’t have the expertise to make the most of the highly sophisticated feature set.

Companies must seek a more consolidated and unified approach either from a single vendor or by leveraging open standards to achieve a unified result. A case in point is in SIEM and SOAR systems where SOC teams often struggle operating in different UIs and switching context between applications. It leads to user inefficiencies. But if you bring SIEM and SOAR capabilities into one system that collects, analyses and prioritises security incidents then analysts will be able to identify and resolve incidents faster and keep businesses safe.

And it’s for all of the above reasons that we will see those mid-tier operations start to adopt unified and consolidated cybersecurity infrastructures.

Cybersecurity automation is the way forward

Artificial intelligence (AI) and Robotic Process Automation (RPA) will also play a fundamental role in making this consolidation happen. As technologies they have both matured to the benefit of many industries – and cybersecurity is no exception. So much so that it’s fair to say that AI and automation will be the only way that organisations are able to keep pace with the constantly evolving threat landscape as well as the volume of attacks.

Death of the classic security playbook

The classic security playbooks in use today are static requiring a high level of sophistication and expertise. Not only hugely time consuming, they are also virtually impossible to keep current. The advent of AI-driven or even AI-augmented detection and response will see the static playbook surpassed by a dynamic, real-time playbook that relates to current incident.

Based on analysis of incident case data, telemetry readings, historical cases and how they were resolved, threat intelligence from the Internet, and other sources, the AI-driven system will create the best playbook on the spot. You can execute the response automatically or require the analyst to OK the playbook actions. It’s that simple.

Data driven cybersecurity

Central to maintaining a robust security posture is the need for accurate data. It’s essential to mount an effective defence from both internal and external threats. That’s in addition to a platform that pulls all the cybersecurity data together, verifies it, gives it context, simplifies it, and prioritises it based on urgency, past experience, potential damage, damage already incurred and many other factors. They need data to orchestrate the different tools in their cybersecurity infrastructure, so each tool plays its part fully and to maximum advantage. They need data to automate. If you can’t trust your data, you can’t automate the processes that use it.

Furthermore, new instrumentation capabilities mean CISOs can measure every component of performance and effectiveness of their overall security infrastructure. Having easy to digest cybersecurity metrics and data ensures CISOs can engage in performance and funding conversations that are much more productive.

Cyberattacks across the globe are increasing in sophistication and speed, threatening businesses of all sizes and industries. At the same time, security teams are confronted with a global shortage of cyber talent, minimising resources. As a result, SOCs struggle to quickly detect, investigate and respond to threats.

Taking a holistic approach to cybersecurity characterised by AI-driven consolidation of capabilities, unified instrumentation and automation will minimise the time it takes for security teams to detect, orchestrate and respond to cyber incidents. It will also help simplify and make their security operations more effective than they ever thought possible.