How to
Jack Danahy
Nov 2015

How to Pick the Right Security Tools for You (And Get the Most Out of Them)

The key to maximizing security is to balance and enhance your investment across a variety of tools.

Under pressure from management and auditors to improve, security teams often make the mistake of buying new products and making increased investments without first understanding how to:

  1. Maximize the value they are getting from their existing underused solutions.
  2. Identify the areas where a little new investment or effort will make the biggest difference.

With no lack of security tools and solutions to choose from, you need to ask yourself, how can I revisit our existing tools and better utilize them alongside new resources I'm considering?

Evaluating the Top Security Solutions

To help illustrate an example of how you can better evaluate your current solutions as well as new ones, let’s look at the top security technologies as ranked by IT security practitioners in a recent survey conducted by the Ponemon Institute:

2015 Global Study on IT Security Spending & Investments, Ponemon Institute

 

Now let’s take a closer look at these protection technologies and walk through the purpose, relative cost, potential benefits, and limiting factors for each. 

Anti-Virus (A/V)

  • Purpose: Keep dangerous software off my systems.
  • Cost: $
  • Benefit: Easy to use, good on known viruses, and can be operated with little security experience.
  • Limiting Factors: Provides limited protection due to reliance on signatures of known attacks. If it doesn't recognize a new type of attack, it won't be able to block it. Frequently criticized for slowing down user systems.

Security Information & Event Management (SIEM)

  • Purpose: Identify unauthorized or destructive behavior.
  • Cost: $$$
  • Benefit: Provides a broad view of security across an enterprise, and stronger breach detection capability across multiple systems.
  • Limiting Factors: SIEM tooling is costly to purchase and more costly to staff. The volume of data and complexity of the information provided requires active monitoring by experienced analysts who can assess what needs addressing and what doesn't. There are multiple examples of attacks going undetected in this flood of information.

Identity & Access Management (IAM)

  • Purpose: Enable only authorized access to systems and services, and attribute that access to individuals.
  • Cost: $$$
  • Benefit: Offers strong access protection and audit, and is the cornerstone of knowing who touched what and when. Good single sign-on can simplify user experience.
  • Limiting Factors: Dynamic organizations and increasing numbers of applications and services make it difficult to maintain IAM integration across new apps and among the changing roles of users. IAM also requires logging, since user authenticating information can be under threat from credential theft attacks and keystroke loggers.

Encryption

  • Purpose: Keep data obscured from everyone who lacks the authority to see it.
  • Cost: $
  • Benefit: Keeps information obscured from unauthorized viewers at rest and in transit.
  • Limiting Factors: Encryption is only as strong as the user authenticating information and the integrity of the systems on which it runs. When either the user information or user system is compromised, encryption is effectively disabled on that system.

Firewalls

  • Purpose: Create a gateway to separate internal networks from external traffic, and to block threatening network actions.
  • Cost: $$
  • Benefit: Good baseline security to create a logical perimeter for monitoring and access control. A good information source on attempted inbound attacks and outbound data theft.
  • Limiting Factors: Firewall logs become noisier as traffic flows increase, and increasing encrypted traffic flows can impede the firewall’s ability to see attacks inbound. Firewalls are also much less useful against custom-crafted and browser-based attacks, which deliver attack content in a fragmented means or through the use of a dropper or downloader. Firewalls also cannot protect user systems when they are used outside the firewalled network, as they are for mobile and remote employees.

Pro Tip: Remember, these are all simply tools. When used successfully, they provide protection and can be integrated to improve each other’s effectiveness. Used incorrectly or disjointedly, they create the illusion of security and leave the unknowing organization in an even worse state.

 

How to Get the Most Out of Your Security Investment

Here are some recommendations on maximizing the combined value from tools you may already have in-house by understanding how they can support each other. I’ve prioritized them by the usefulness of the increased value that the integration can bring. 

Click the image to enlarge.

A/V as an enabling technology

Endpoint protection is a critical factor in the efficacy of almost every other security technology. Every infected endpoint will create streams of data that will flood an already overworked SIEM. Corrupted systems are commonly used to steal the credentials that are central to credible identity management and to unlocking strong encryption.

As a result, there is a clear benefit to improving A/V, change management, and endpoint protection as you look for ways to improve your defenses at low cost.

SIEM as an enabling technology

Security information and event management (SIEM) can be thought of as a “bird’s-eye” view of an organization’s security. The major benefit of SIEM to other security technologies is to improve their coverage and understand their gaps.

When attacks are discovered, most SIEMs allow their data to be used to automatically limit inbound access through the creation of firewall rules. SIEMs can also be used to identify unexpected traffic or request from infected systems, which can be used to identify systems in need of system or A/V update.

IAM as an enabling technology

Identity and access management (IAM) is the foundation of understanding the appropriateness and authorization of behavior on the network. For example, a SIEM is most useful when if can be used to associated expected behaviors with individual users, and to identify offending user accounts when it encounters malicious behavior.

IAM also provides a more granular means of integrating firewall-based perimeter access control,  and of auditing the inbound and outbound traffic from users. Without IAM, or with weak IAM, non-repudiable attributions are either difficult or impossible.

Encryption as an enabling technology

Encryption is the center of authentication, secure transmission, and secure storage of data. As such, encryption is closely associated with the ways in which users validate their identity to the IAM. Encryption also provides protected channels through which confidential or high-integrity data will be fed to the SIEM. Firewalls also gain additional value when used as a point of terminus for encrypted connections and VPN’s from trusted external sources.

Without encryption, much of this internetworking and monitoring would become untrustable.

Firewalls as an enabling technology

While the perimeter of a network is becoming increasingly amorphous, firewalls offer increased efficiency for local security, like anti-virus, by doing some of the heavy lifting. By stripping attachment file types, and doing A/V scanning at the gateway, they can reduce the load on user devices.

Similarly, by limiting traffic flows, they can also decrease the glut of traffic monitored by the SIEM. Firewalls keep external connections from forging internal access credentials and can be configured to increase privacy by only allowing encrypted traffic to leave the network to certain destinations.

 

Mixing it All Together

If you find yourself evaluating a new security tool this coming year, remember to step back and look at the bigger picture. Before you spend a dime on anything you should have a good sense of your specific needs and priorities, and you should understand how your current solutions can be further supplemented and enabled (for help with that, see our new eBook, Cybersecurity Made Simple: A Getting Started Guide). 

After all, you don’t buy one ingredient and hope it turns into a cake. Before you step foot in the grocery store you should ideally know what kind of cake you want to make. You should have a list of ingredients, and you should have recipe that explains how they all need to be mixed together, too.

That requires preparation, but a little work up front will save you from sinking precious time, resources, and political capital into the wrong kind of investment. With any luck, you're in a position where you're able to make security considerations proactively instead of reactively. 

There's nothing worse than having to make a security purchasing decision in crisis mode.

The last thing you want is to go last-minute grocery shopping when you’re already hungry. 

 

One More Thing...

Don't miss out on more practical tips and approaches to security's biggest challenges. Sign up to get new Barkly blog posts delivered to your inbox.

Photo by: Barn Images

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.