Managing and maintaining a secure enterprise environment is becoming more and more challenging. The sheer number of security events that organizations must contend with are becoming increasingly complex. Threats such as cybercrime and malware events are appearing on an ever-increasing volume on the dark web. Maintaining visibility across an expanding security ecosystem while shrinking the time window to identify and respond to security events is the nirvana for most security teams.
The OODA Loop
The current set of disparate tools inside of a security analyst’s bag are disjointed and lack the ability to share information. Tools are single focused and cannot exchange information and collaborate. Incident responders typically find themselves switching between multiple screens in order to solve problems or developing homegrown methods in order to make their lives easier. When responding to a security incident such as ransomware or malware, time is a critical element. Security organizations typically employ the concept of the OODA Loop when responding to a security incident. Developed by U.S. Air Force Colonel John Boyd, the OODA Loop maintains the process cycle of Observe – Orient – Decide – Act as the necessary steps to respond to a threat.
IBM Cloud Pak for Security (CP4S)
IBM has taken an innovative approach to solving the OODA loop challenge that modern enterprise security teams face. The IBM Cloud Pak for Security (CP4S) solution provides security operations teams the needed resources to make responding to events faster with all the necessary information at their fingertips. CP4S provides deeper insights by integrating with IBM Security’s broad security solution portfolio along with a number of third-party and open source security solutions. Covering areas such as threat intelligence, event monitoring, and automation, CP4S provides visibility across today’s on premise, hybrid cloud, and multi-cloud environments. This third-party tool integration is critical since, on average, most security teams use nearly a dozen different security tools in the course of their day.
Being able to observe threat indicators is a key element in the response to a security event. Having visibility into what is on the network is key to defending it. This visibility includes not only the assets that are managed by the various IT teams but also the IOT and shadow IT environments that are spreading across today’s enterprise architectures. Quickly being able to identify the assets that are impacted by a security event and isolate them from impacting other parts of the network is critical to any response plan. IBM Cloud Pak for Security (CP4S) creates a single pane of glass to cast light across all areas of an organization’s network. Being able to integrate from the endpoint to the cloud to the SIEM without vendor lock in provides CP4S users with the flexibility needed in today’s challenging world.
Increasing Visibility
Security teams are drowning in data. Every network device, server, and application generates a steady stream of information. Being able to take that data and collect meaningful and actionable threat intelligence is very difficult. For years, security teams had to create creative methods to ingest all this data into their tools. This meant that security organizations not only had to analyze the data but also retain it for future use. CP4S has been developed under the premise that data is best left on the device and not duplicated. This concept greatly increases CP4S’s ability to provide visibility. From cloud environments to OT networks to the most demanding enterprise environments, security teams are no longer limited in their visibility by where they can store or access information.
Red Hat OpenShift
Cloud Pak for Security is build using Red Hat’s OpenShift platform. Integrating CP4S with OpenShift simplifies administration by integrating the security platform with the existing management processes and procedures that an organization has. No need to develop special one-off processes in order to manage the new security platform. Further, CP4S works either on prem in your datacenter or deploys to a variety of cloud platforms. This flexibility in deployment makes integrating the CP4S platform simple. The OpenShift platform, built on Kubernetes, can be deployed wherever the organization has available capacity. This deployment flexibility allows CP4S to quickly integrate.
Automation
Automation is a key topic on the mind of almost all security leaders. Most enterprise organizations are seeing well over two hundred thousand security events per day. Everyone has heard of the labor availability challenges that the IT industry faces. This challenge is most acute in the security incident response space. Security teams have looked at integrating easily repeatable processes such as phishing investigations and identity management reviews and using automation in order to focus threat hunters on areas that are of greater risk to an organization.
CP4S integrates with IBM’s Resilient Incident Response architecture in order to make automating elements of incident response a reality. One of the leading reasons for a SOC analyst to seek new employment is burnout. The average analyst stays in a role for approximately eighteen months. Combining the increased visibility of CP4S with the automation and orchestration capabilities of Resilient allows for automation to be used to isolate threats that are detected in the middle of the night without having to wake staff up to investigate. CP4S seamlessly integrates with IBM Security’s Guardium solution to provide real-time visibility and incorporates automated workflows in order to reduce discovery and remediation time. Being able to use automation to orchestrate response to security events allows for an organization to respond faster to threats while also giving already busy SOC analysts some much deserved rest and quality of life.
Observe – Orient – Decide – Act
Returning to our original discussion of the OODA Loop, CP4S has the integration and flexibility to take on all four elements.
1. Observe security events by integrating with a wide range of IBM and third-party security tools. Allowing for data to remain in place instead of being migrated to a central location is a critical component to extensibility.
2. CP4S ability to integrate data into a single console view allows SOC analysts to orient and prioritize on addressing the most pressing threats. No longer will SOC analysts have to use multiple windows to access multiple systems in order to determine the threat.
3. Knowing how and when to act is critical to a security team. Deciding how to isolate systems, users, or entire locations is difficult. Business processes and operations will be disrupted while an analysis is performed. CP4S’s ability to draw data in from a wide variety of sources allows for decision makers to have a greater understanding of the risk that a company faces.
4. Automation allows for teams to act utilizing established playbooks. Being able to act and mitigate the threat is critical to addressing and resolving the security event. CP4S is the type of security solution that SOC analysts have been waiting for. A solution that allows them greater visibility into data while enabling them to easily utilize automation.
Get on a secure footing
Mainline Information Systems has the security skills to help companies develop the security solutions to protect your organization. As an IBM Platinum partner, the highest level in IBM’s partner program, Mainline has a deep rooted, long-term relationship with IBM. IBM Security and Mainline work together to help our customers solve today’s most pressing security challenges. From security assessments and analyzing the current architecture to designing and implementing a new solution, Mainline has the proficiencies necessary to put your company on a secure footing.
For more information about Cloud Pak for Security or any IBM security solution, contact your Mainline Account Executive directly, or reach us here.
You may be interested in:
BLOG: Cybersecurity Across OT/ICS Environments