Addressing security sprawl

David Herselman, Managing Director, inq. South Africa.

---

Many companies still consider cyber security a grudge purchase. What's worse, these businesses often only allocate the necessary funds after an incident or a regulatory change forces their hands. The normalisation of the hybrid work environment has certainly contributed to a false sense of security. Often, organisations think their traditional perimeter and endpoint security solutions are adequate even after migrating their data and apps to cloud environments.

In practice, the cyber security landscape has become cluttered with vendors trying to outdo each other with confusing acronyms and overlapping features. This has resulted in a fragmented array of security solutions. It could be argued that the industry needs regulation of its own to clarify and silo vendors and products. At least then it will be easier for consumers and organisations to get clarity on what they are using and what they are buying. Having said that, this approach could be detrimental to one of the best ways to strengthen a company’s defences – adopting a multi-layered cyber security approach.

Even though the hype surrounding machine learning and AI has resulted in decision-makers expecting a "set it and forget it" security solution, the reality is quite different. Detecting advanced persistent threats relies on correlating indicators of compromise (IOC) and subsequent threat hunting to investigate anomalies. For example, heuristic analysis of network traffic might flag an endpoint suddenly uploading data to the internet, which could indicate data exfiltration or simply a user backing up information.

Rather, there is a growing consensus that network traffic analysis (NTAs such as firewalls, switches with NetFlow/sFlow or SPAN), endpoint detection and response (EDR) telemetry, cloud service provider logs, in-house server and workstation audit logs and event logs need to be consolidated and correlated.

A secure access service edge (SASE) solution has almost become a requirement to manage and monitor hybrid workers effectively. Historically, enterprises have achieved this through a security information and event management (SIEM) solution, coupled with an in-house security operations centre (SOC). Small and medium-sized businesses can access similar managed detection and response (MDR) services from MSSPs, though these often do not cover the full scope of services an in-house SOC provides.

Extended detection and response (XDR) solutions attempt to persuade clients to adopt a single solution to address these challenges. However, these solutions are often vendor-specific with limited integrations, whereas SIEM/SOC solutions offer far greater compatibility in data ingestion.

Those companies that take their cyber security seriously combine tools (NTA, EDR, XDR or SIEM), security frameworks (eg, the zero trust reference architecture), regulations (POPIA, GDPR, FINRA, HIPAA and PCI DSS), AI, human threat hunting and user training within an ongoing cycle of continuous improvement.

However, there is no one-size-fits-all solution for cyber security. The key to effective security lies in a comprehensive, multi-layered approach that incorporates the best tools, frameworks and practices.

As a trusted cyber security partner, our approach entails working with leading vendors like Check Point and maintaining a broad range of in-house skills. In this way, we ensure that we can provide tailored solutions to meet the unique needs of each business. By continually evolving our strategies and staying ahead of emerging threats, we help our clients navigate the complexities of security sprawl and achieve a more integrated security posture.