Browsing category

Security Products

Access Management, IBM Security, Identity & Access, Identity and Access Management (IAM), Kuppingercole, Security Intelligence & Analytics, Security Products, Security Solutions,

KuppingerCole Report: Leadership Compass of Access Management and Federation

Part of fixing any IT issue is finding the right solution for the problem and ensuring the issue will not happen again. One of the major struggles for the IT industry is finding the right vendors to enlist as protectors.

KuppingerCole’s Leadership Compass report on access management and federation aims to close the gap between the right solution and the right vendor.

Emerging business requirements, such as onboarding business partners, providing customer access to services and adopting new cloud services, require IT to react and find solutions to these communications and collaboration conditions. Access management and federation vendors are closing in to address these needs and enable business agility.

With many vendors in this market segment, the KuppingerCole Leadership Compass provides a view and analysis of the leading vendors and their strengths and weaknesses. The report acts as a guide for the consumer to compare product features and individual product requirements.

Read the KuppingerCole Leadership Compass report

Breaking Down the Leadership Ratings

When evaluating the different vendors and products, KuppingerCole looked into the aspects of overall functionality, size of the company, number of customers, number of developers, partner ecosystems, licensing models and platform support. Specific features, such as federation inbound, federation outbound, backend integration, adaptive authentication, registration, user stories, security models, deployment models, customization and multitenancy, were considered as well.

KuppingerCole created various leadership ratings, including “Product Leadership,” “Innovation Leadership,” and “Market Leadership,” to combine for the “Overall Leadership” rating. With this view, KuppingerCole gives an overall impression of each vendor’s offering in the particular market segment.

Product Leadership is based on analysis of product and services features and capabilities. This view focuses on the functional strength and completeness of each product.

Innovation Leadership focuses on a customer-oriented approach that ensures the product or service has compatibility with earlier versions, as well as supports new features that deliver emerging customer requirements.

Market Leadership is based on market criteria, such as number of customers, the partner ecosystem, the global reach and the nature of responses to factors affecting the market outlook. This view focuses on global reach, sales and service support, and successful execution of marketing strategy.

KuppingerCole Leadership Compass: Access Management and Federation

How IBM Ranks

IBM Security Access Manager (ISAM) is ranked as a leader in the Product, Marketing and Technology Leadership categories. This rating comes from IBM ISAM having one of the largest customer bases of all vendors in the market segment, a strong partner ecosystem, mature access management and strong adaptive authentication. ISAM is among the leading products in the access management and federation market and meets organizations’ growing lists of IT security requirements with broad feature support.

Read the Full Report

Check out the complete report to discover:

  • An overview of the access management and federation market;
  • The right vendor and right solution for your business; and
  • Why IBM ISAM is a leader in Product, Marketing and Technology.

Read the KuppingerCole Leadership Compass report

The post KuppingerCole Report: Leadership Compass of Access Management and Federation appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Lappin

Artificial Intelligence (AI), CISO, Collaboration, RSA Conference, Security Conferences, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Products, Security Professionals, Security Solutions, Skills Gap,

Rewrite the Rules to Reduce Complexity in Your Security Architecture

Complexity as it relates to security architecture is attracting a lot of attention. At RSA Conference (RSAC) earlier this year, I saw complexity discussed at multiple vendor booths and in several presentations. But what does it really mean? And is it really that bad?

To get to the root of why complexity is such a challenge, I think you have to take a step back and look at what it is that makes security architecture so complex. One look at the RSAC 2019 exhibit hall provided a clue.

Walking the exhibit floor, I was struck over and over by the sheer number of vendors exhibiting this year. Every inch of space was used to show new products, services, approaches, integrations — you name it. It was noisy and overwhelming for me, and I can only imagine what it must have been like for security directors who were walking around trying to make sense of what was new.

I think the crowded RSAC expo floor is an accurate representation of one of the biggest conundrums in cybersecurity: It is an industry in constant flux. Every day, there are new attacks, updated methods and changing compromise patterns in addition to changing regulatory standards and new business initiatives that need to be evaluated for risk. And since every business has its unique needs and requirements, it’s really no surprise that there are multiple ways to approach a problem, and thus a plethora of products and services available.

Without a doubt, variety is essential for empowering customers to opt for solutions that work best for their unique situations. However, this singular approach to problem solving has created an incredibly complex environment for security organizations to manage, and that has consequences.

“At any given time, the analysts in our security operations center are looking at 10–20 windows open per product,” said Devin Somppi, lead of security operations at BriteSky. “While each of my analysts is an expert in their role, sharing information across these fields is a challenge.”

Somppi referred to his team as the “human glue” binding all of their different security applications. What he means is that many of the individual security solutions produce data that must be analyzed and acted upon. On an individual level, this works great. However, when investigating a multilayered security incident, the data must be shared among the analysts, and that takes time.

“Take, for example, a very common incident: a targeted phishing attack,” said Somppi. “First surfaced through a SIEM, an analyst reviews the situation and kicks off an investigation. This involves multiple parts: checking with your threat intelligence team to run the file against the latest information, getting information from your email security appliance for headers to see if it’s been spoofed, notifying the user of the compromise. This process does work — we make it work — but it can be slow and arduous when that information is spread across multiple teams.”

That kind of delay can be disastrous for end users.

It’s Time to Think Differently About Security

In their RSA Conference session, Somppi and IBM Security Chief Technology Officer Sridhar Muppidi discussed how the biggest hurdle for the security industry — vendors — will be rethinking its approach to security.

“We really have to start looking at security as a team sport,” said Muppidi. An avid cyclist, Muppidi used the example of a peloton from his college cycling days.

“I’m not much of a sprinter, but I’m great at hills,” he said. “There are others in our group where sprinting was their strength. And once we started communicating and leveraging our individual strengths, we not only improved in our race, but as a whole we became much more efficient. The same can be true for security.”

Thinking of security as a team sport shouldn’t be too hard; after all, our adversaries do this very well. Most attackers buy, sell and trade secrets. They share data, swap methodologies and collaborate on processes, all in the name of compromising their targets. So why shouldn’t we defenders adopt the same approach?

The easy answer is that we should. As security vendors, when we communicate better — when we share information and leverage each other’s strengths — we enable organizations to actively defend their networks. More importantly, we empower them to grow their businesses.

The harder question is, how do we do it? In their joint session at RSAC 2019, Muppidi and Somppi laid out three ways the cybersecurity industry can rethink its approach and be more collaborative in its defense.

1. Break Down Silos Among Vendors

In the current environment, each security vendor has its own way of capturing information and it is very hard to integrate that data. While this works to address security issues at an individual level, this siloed approach to using and viewing security data is limiting the potential of not only our clients, but also what we as security vendors can do.

“In order for organizations to really see what cybersecurity can do for their business, we have to break down the silos we’ve built as vendors,” Muppidi said. “This means unifying not only technical capabilities like our APIs or our use of microservices, but also the overall experience. That requires addressing things like different views on data privacy or getting over our ‘competitive’ mindset.”

This is not easy to do, but it ultimately provides a better cybersecurity experience for organizations that are already struggling.

2. Rethink the Role of Security Analysts by Embracing Artificial Intelligence

Artificial intelligence (AI) will play a pivotal role in how we approach security in the coming years. AI will become the connective tissue between products, decreasing the need for the “human glue” Somppi described as the current approach to information sharing between technologies

“We will always need analysts,” said Somppi. “But they’ll be augmented by AI, and we’ll need to rethink the way they work. Analysts need to be the experts, but AI needs to be the glue.”

Ultimately, using AI to reduce the time it takes to connect data insights will make security stronger and our analysts less stressed.

3. Redefine Success as It Relates to Securing the Business

Every organization has a different measure of success when it comes to security. For some, success means speeding up the time it takes to detect a threat. Others are more concerned about how long it takes to remedy the situation, or maybe it’s all about applying lessons learned to make sure it doesn’t happen again. Without a doubt, these are all important, but we need to think differently.

“What if success means getting your SOC analysts home in time for dinner with their families?,” Muppidi asked. When considering the predicted security skills gap, reducing the stress among your security analysts is a critical measure of success.

“Finding resources tends to be a challenge for our industry,” said Somppi. “I can find technology for anything and everything, but to have someone who can utilize that technology is incredibly difficult. I don’t want to burn them out.”

In addition to keeping them engaged and interested in their area of defense, it’s also critical to reduce the rate of analyst burnout. By reducing workload and stress, you can empower your SOC analysts to focus on fewer, but higher-value projects that are more strategic to the organization and are focused on growth.

Less Is More When It Comes to Your Security Architecture

The main takeaway from Somppi and Muppidi’s RSAC session is that it’s time for cybersecurity professionals to collaborate more and compete less. By breaking down silos among security teams and vendors, augmenting human intelligence with AI and machine learning, and empowering analysts to do more impactful work under less pressure, chief information security officers (CISOs) and business leaders can improve security output while also reducing the number of security products needed to protect the enterprise. Put simply, it’s time to make less matter more.

The post Rewrite the Rules to Reduce Complexity in Your Security Architecture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jennifer Glenn

Incident Management, Incident Response, Incident Response (IR), Incident Response Plan, Security Information and Event Management (SIEM), Security Operations and Response, Security Operations Center (SOC), Security Products, Security Professionals, Security Solutions, Threat Intelligence,

SOAR: The Second Arm of Security Operations

While security information and event management (SIEM) is rightly considered an indispensable tool for detecting and managing threats, it can only do so much good if you’re just detecting threats to respond to them. Of course, successful threat management demands rapid incident response, and security operations teams tend to overemphasize detection as a result.

How can organizations both empower their responders to remediate threats quickly and strengthen their security posture to prevent data breaches in the first place? The answer is security orchestration, automation and response (SOAR).

SOAR Solutions Add Context to SIEM Data

SIEM solutions are now deployed in virtually every large enterprise, and for very good reason. In the U.K., in fact, the RM3808 regulation precludes any organization from bidding for public sector network services work unless it has a SIEM solution in place. This makes sense: Companies should be monitoring their events and data flows if they expect to detect threats to their information or that of their customers.

SOAR tooling enables security operations teams to automate the tedious and repetitive elements of their workflow that don’t require human oversight and instead focus on more mentally challenging tasks that call for discernment and judgment. The best SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity and/or criticality of the business functions under threat.

Many of the remedial tasks that fall under the analyst’s supervision, such as isolating endpoints, can be orchestrated with a SOAR platform via application programming interfaces (APIs). Faster remediation leads to earlier resolution of incidents in the attack chain, which greatly reduces the risk of a data breach.

A Force Multiplier for Understaffed Security Operations Teams

Even if you had an unlimited security budget at your disposal, you would still struggle to hire the caliber and quantity of talent you need to stay on top of the constant barrage of threats to your organization. According to Cybersecurity Ventures, the cyber skills shortfall is expected to hit 3.5 million unfilled positions by 2021. This is one of the reasons why white hats are lagging behind the increasingly sophisticated threat landscape in the cyber arms race.

SOAR solutions can help organizations address the talent gap by lightening analysts’ manual workload and sharpening their ability to prioritize the most pressing threats and remediate them quickly.

Enrichment and Contextualization: Where SIEM Ends and SOAR Begins

There is a degree of overlap in how vendors describe the enrichment and contextualization functionalities of their SIEM and SOAR solutions. It’s common for both products to claim that they enrich, contextualize and help triage threats. But where does SIEM end and SOAR begin?

SIEM is all about detection. The amount of automation and orchestration required for swift incident response cannot be carried out at the detection layer. If a SIEM tool processes between 10,000 and 500,000 events per second — as it does in most cases — the computing resources required are simply not available to enrich this volume of data. So why can’t the enrichment take place once the SIEM tool has generated an offense or incident?

For the average enterprise, only about 80 percent or less of incidents originate from SIEM. It’s important to channel incidents generated by data loss prevention (DLP) tools, managed service alerts, phishing and investigations into one place so your security operations center (SOC) analysts or computer security incident response team (CSIRT) can contextualize and act upon them. SIEM tools are not optimized to support this alongside the mammoth task of analyzing enormous reams of events and data flows according to predefined correlations and indicators of compromise (IoCs). Endpoint detection and response (EDR) and threat intelligence platforms are not integrated, thus the SIEM only assists with part of the investigation process.

Lastly, case management is arguably the most crucial feature set within incident response. Cybersecurity playbooks have become enormously complex, and the level of effort and cost needed to build them into the detection layer is often prohibitive.

Why Detection Alone Is Not Enough

It goes without saying that well-calibrated detection tools give the incident response function the data it needs to remediate threats. But having well-defined incident response plans can also help sharpen and refine the rules and use cases you use to calibrate your SIEM solution. The benefits are bidirectional: What correlations and indicators are you looking for? Why are you looking for them? Once you find them, what is the incident response plan?

One of our clients recently enacted a protocol whereby detection use cases are only written if they have an associated incident response plan. If you want to write SIEM rules for the sole purpose of visibility and metrics, that’s all well and good. However, being deliberate and honest about this will keep your operations more streamlined.

If your function is willing to spend thousands or even millions on SIEM solutions but not prepared to deal efficiently with the alerts being outputted, what is the value of that investment? Why wait until your SIEM tool is churning out alerts before realizing that your team is overwhelmed?

Clients of ours that have run parallel SIEM/SOAR proofs of concept (POCs) have saved significant amounts of time and effort compared to those that have undergone an arduous SIEM POC only to have to follow up with another SOAR POC. In one case, a client even decided to switch off its SIEM solution until it had implemented a SOAR tool to help it deal with the torrent of alerts. Given that SIEM and SOAR are two sides of the coin that comprises security operations, why serve these POCs consecutively when they can be executed concurrently?

The post SOAR: The Second Arm of Security Operations appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Cian Walker

Advanced Threats, Artificial intelligence, Artificial Intelligence (AI), Chief Information Security Officer (CISO), Data Breaches, Risk Management, Security Costs, Security Intelligence & Analytics, Security Products, Security Strategy, Skills Gap, Threat Detection, Zero-Day Attacks,

Are Applications of AI in Cybersecurity Delivering What They Promised?

Many enterprises are using artificial intelligence (AI) technologies as part of their overall security strategy, but results are mixed on the post-deployment usefulness of AI in cybersecurity settings.

This trend is supported by a new white paper from Osterman Research titled “The State of AI in Cybersecurity: The Benefits, Limitations and Evolving Questions.” According to the study, which included responses from 400 organizations with more than 1,000 employees, 73 percent of organizations have implemented security products that incorporate at least some level of AI.

However, 46 percent agree that rules creation and implementation are burdensome, and 25 percent said they do not plan to implement additional AI-enabled security solutions in the future. These findings may indicate that AI is still in the early stages of practical use and its true potential is still to come.

How Effective Is AI in Cybersecurity?

“Any ITDM should approach AI for security very cautiously,” said Steve Tcherchian, chief information security officer (CISO) and director of product at XYPRO Technology. “There are a multitude of security vendors who tout AI capabilities. These make for great presentations, marketing materials and conversations filled with buzz words, but when the rubber meets the road, the advancement in technology just isn’t there in 2019 yet.”

The marketing Tcherchian refers to has certainly drummed up considerable attention, but AI may not yet be delivering enough when it comes to measurable results for security. Respondents to the Osterman Research study noted that the AI technologies they have in place do not help mitigate many of the threats faced by enterprise security teams, including zero-day and advanced threats.

Still Work to Do, but Promise for the Future

While applications of artificial intelligence must still mature for businesses to realize their full benefits, many in the industry still feel the technology offers promise for a variety of applications, such as improving the speed of processing alerts.

“AI has a great potential because security is a moving target, and fixed rule set models will always be evaded as hackers are modifying their attacks,” said Marty Puranik, CEO of Atlantic.Net. “If you have a device that can learn and adapt to new forms of attacks, it will be able to at least keep up with newer types of threats.”

Research from the Ponemon Institute predicted several benefits of AI use, including cost-savings, lower likelihood of data breaches and productivity enhancements. The research found that businesses spent on average around $3 million fighting exploits without AI in place. Those who have AI technology deployed spent an average of $814,873 on the same threats, a savings of more than $2 million.

Help for Overextended Security Teams

AI is also being considered as a potential point of relief for the cybersecurity skills shortage. Many organizations are pinched to find the help they need in security, with Cybersecurity Ventures predicting the skills shortage will increase to 3.5 million unfilled cybersecurity positions by 2021.

AI can help security teams increase efficiency by quickly making sense of all the noise from alerts. This could prove to be invaluable because at least 64 percent of alerts per day are not investigated, according to Enterprise Management Associates (EMA). AI, in tandem with meaningful analytics, can help determine which alerts analysts should investigate and discern valuable information about what is worth prioritizing, freeing security staff to focus on other, more critical tasks.

“It promises great improvements in cybersecurity-related operations, as AI releases security engineers from the necessity to perform repetitive manual processes and provides them with an opportunity and time to improve their skills, learn how to use new tools, technologies,” said Uladzislau Murashka, a certified ethical hacker (CEH) at ScienceSoft.

Note that while AI offers the potential for quicker, more efficient handling of alerts, human intervention will continue to be critical. Applications of artificial intelligence will not replace humans on the security team anytime soon.

Paving an Intelligent Path Forward

It’s important to consider another group that is investing in AI technology and using it for financial gains: cybercriminals. Along with enterprise security managers, those who make a living by exploiting sensitive data also understand the potential AI has for the future. It will be interesting to see how these capabilities play out in the future cat-and-mouse game of cybersecurity.

While AI in cybersecurity is still in the early stages of its evolution, its potential has yet to be fully realized. As security teams continue to invest in and develop AI technologies, these capabilities will someday be an integral part of cyberdefense.

The post Are Applications of AI in Cybersecurity Delivering What They Promised? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Joan Goodchild

Artificial intelligence, Artificial Intelligence (AI), Collaboration, IBM X-Force Exchange, Information Sharing, Security Intelligence & Analytics, Security Operations Center (SOC), Security Products, Security Services, STIX, TAXII, Threat Intelligence,

Busting Cybersecurity Silos

Cybersecurity is among the most siloed disciplines in all of IT. The industry is exceedingly fragmented between many highly specialized companies. In fact, according to IBM estimates, the average enterprise uses 80 different products from 40 vendors. To put this in perspective, imagine a law enforcement officer trying to piece together the events surrounding a crime based solely on witness statements written in multiple languages — one in Chinese, another in Arabic, a third in Italian, etc. Security operations centers (SOCs) face a similar challenge all the time.

Security professionals are increasingly taking on the role of investigator, sorting through multiple data sources to track down slippery foes. Third-party integration tools don’t exist, so the customer is responsible for bringing together data from multiple sources and applying insights across an increasingly complex environment.

For example, a security team may need to coordinate access records with Lightweight Directory Access Protocol (LDAP) profiles, database access logs and network activity monitoring data to determine whether a suspicious behavior is legitimate or the work of an impostor. Security information may even need to be brought in from external sources such as social networks to validate an identity. The process is equivalent to performing a massive database join, but with incompatible data spread across a global network.

What Can We Learn About Collaboration From Threat Actors?

Organizations would be wise to observe the strategy of today’s threat actors, who freely share tactics, tools and vulnerabilities on the dark web, accelerating both the speed and impact of their attacks. As defenders of cybersecurity, we need to take a similar approach to sharing security information and building collaborative solutions that will address the evolving cybersecurity threat landscape.

This is easier said than done, as the cybersecurity industry has not been successful in enabling information to be shared, federated and contextualized in a way that drives effective security outcomes. But the barriers aren’t solely technical; corporate policies, customer privacy concerns and regulations all combine to inhibit information sharing. We must enable collaboration in ways that don’t undermine the interests of the collaborators.

Security information sharing is not only useful for threat management, but also for accurately determining IT risk, enabling secure business transformation, accelerating innovation, helping with continuous compliance and minimizing friction for end users. For example, organizations can leverage the identity context of an individual from multiple sources to evaluate the person’s reputation and minimize fraud for both new account creation and continuous transaction validation. This type of risk-based approach allows organizations to quickly support new initiatives, such as open banking application programming interfaces (APIs), and regulations, such as the European Union’s revised Payment Service Directive (PSD2).

The Keys to Building a Community Across Cybersecurity Silos

Sharing security data and insights and developing an ecosystem across cybersecurity silos is a transformational concept for the industry — one that requires people, process and technology adaptations. As organizations embrace secure digital transformations, security professionals need to adopt a risk-based approach to security management built on insights from several sources that include both technical and business contexts.

As security becomes more distributed within an organization, processes need to evolve to support integrated and collaborative operations. Sharing of data and insights will enable multiple business units to coordinate and deliver unified security. Technology needs to be API-driven and delivered as a service so it can integrate with others to facilitate sharing. Security solutions also need to evolve to deliver outcome-based security though capabilities that take advantage of data and insights from multiple vendors, platforms and locations.

The security industry is taking steps to address the complexity problem with standards designed to efficiently share data and insights. Standards such as STIX/TAXII, OpenC2 and CACAO are rapidly maturing and gaining adoption for their ability to enable vendors and their customers to choose what data to share. More than 50 cybersecurity vendors have adopted or plan to adopt STIX as a standard for data interchange, according to OASIS.

However, more work needs to be done. Standards and practices need to evolve to enable information sharing within and between industries, as well as ways to exchange methodologies, indicators of compromise (IoCs), response strategies and the like.

Finally, we need a cloud-based community platform that supports open standards-based collaboration for the delivery of integrated cybersecurity solutions. A platform-based approach will bring together people, process, tools, data and insights without expensive customization and integration projects. By increasing the adoption of such a platform, we can create a cybersecurity ecosystem that can address complexity, combat the evolving threat landscape and reduce the need for specialized security skills.

Bringing the Industry Together With IBM Security Connect

IBM has been on a journey to reduce complexity through a security immune system approach, enabling open collaboration through initiatives such as X-Force Exchange and Quad9, and driving open industry standards such as STIX/TAXII. We are furthering our commitment to strengthening cybersecurity with the recent announcement of IBM Security Connect, an open cloud platform for developing solutions based on distributed capabilities and federated data and insights.

Security Connect provides an open data integration service for sharing and normalizing threat intelligence, federated data searching across on-premises and cloud data repositories, and real-time sharing of security alerts, events and insights that can be leveraged by any integrated application or solution. This will pave the way for new methods of delivering innovative outcome-based security solutions powered by artificial intelligence (AI).

Clients and partners can take advantage of this open, cloud-native platform by combining their own data and insights with capabilities from IBM and other vendor technologies. We have already partnered with 15 major security software providers and look forward to adding more.

We are very excited about bringing this concept of data and insights collaboration to life, and grateful for the opportunity to bring cybersecurity silos together to reduce complexity and keep up with the evolving cybersecurity landscape. Early feedback has been gratifying, and we’d love to hear your comments and suggestions. I hope you will join us in this endeavor by learning more about IBM Security Connect and participating in the early field trial.

The post Busting Cybersecurity Silos appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Sridhar Muppidi