Over the six or seven years I’ve attended the RSA conference, I’ve started covering broader, big-picture themes and trends in security related to product design, development and philosophy.
Some of those themes can be seen in the first day of talks at RSAC, including:
Complexity and Cloud Causes Reduced Visibility
Security complexity is not a new topic at RSAC, as I can recall their opening keynote a year or two back that harped on the need to consolidate. That was a remark on the inflection point in infosec that resulted in too many vendors, too much noise, too many disparate solutions and increased “expense-in-depth.”
However, it remains a problem at many organizations and different industries; a holdover from legacy times that is especially problematic at companies that have grown from small to medium very quickly. Often there’s not a super solid security strategy in place as they struggle to implement security basics while putting out daily fires.
As Director of Cisco Cloud Security Meg Diaz pointed out in her talk, Getting Started With SASE: Connect, Control and Converge With Confidence, 82% of workers will work in a hybrid model after 2020, while 93% of enterprises are embracing a multi-cloud strategy. The average company connects to over 20 different cloud services, which can result in reduced visibility due to lack of control over permissions and insight into misconfigurations.
In a Microsoft talk on Zero Trust in a Post-Pandemic World, CVP and CISO Bret Arsenault and CVP Microsoft 365 Security Rob Lefferts discussed how the increasing IT “complexity and sophistication in the threat landscape” has resulted in the increasing complexity of security tools. This has pushed the industry toward unification of those tools for a more coherent view across identity, endpoints and end users.
They acknowledged that Microsoft has traditionally been focused on supporting only their own tech stack – which can result in blind spots, as most companies have diverse vendors and platforms in their IT environment they need to secure.
XDR to Consolidate Visibility and Response
This push for unification is where XDR (Extended Detection and Response) comes into play – the emerging security trend that tends to skew toward the enterprise. XDR seeks to integrate multiple security control points to make detection and response faster and easier, as Diaz stated.
What is XDR? According to Gartner, it’s a unified security incident detection and response platform that automatically collects and correlates data from multiple sources. Their primary requirements include:
- Centralizing normalized data (often focusing on the XDR vendors’ ecosystem only)
- Correlating security data and alerts into incidents
- Centralizing an incident response (IR) capability that can enact change in different security products, as part of an IR or security policy setting
Some XDR solutions lack comprehensive security coverage, integrations or support for vendors outside of their own ecosystem, as noted above. Often XDR systems may not support both on-premises and cloud applications, infrastructure and services, which can result in visibility gaps.
When seeking a detection and response solution, look for a vendor-agnostic one like Blumira that can provide comprehensive security monitoring across different platforms, integrating with endpoints, firewalls, cloud infrastructure (AWS, Azure), collaboration applications and more.
“Extended detection and response seeks to tie everything together to help amplify what you can see and how well you’re able to respond. It helps unify complex environments, so you can downsize from six solutions down to one,” Arsenault said.
With a comprehensive, centralized solution like XDR, you can get visibility across your entire environment with less need for custom software and no need to train people on five different systems. That results in happier security staff due to better use of their time and resources, as noted by Microsoft.
“This frees up your team to focus on more strategic issues, by giving them as many useful tools as possible,” Arsenault said.
In another talk, How to Ruin Your SOC in 5 Easy Steps, RSA Field CTO Ben Smith states that while an old-school SIEM (security and information and event management) system is primarily designed to capture logs as a look at the past, you need a deeper understanding into what’s actually happening now on your network.
“Bringing a holistic view of what’s happening in your environment – from the user, through to the network and into the cloud – provides visibility anywhere and everywhere data and applications live. XDR is where you should be headed – if you’re not already there today,” said Smith.
Simplifying Cloud Security Detection and Response
It’s clear the market is trending toward unification, simplification and consolidation to help resolve customer and market problems around too much complexity, vendor sprawl and cloud security gaps. Bringing together security insights into one centralized platform that supports both on-premises and cloud services can ease the burden on overworked security teams while shedding light on security gaps.