05 Jun The Future of Autonomous Mitigation
Abstract – Solving the challenge of Self-Healing Networks:
The world’s most secure networks leverage the combined strengths of multiple technologies.
Their goal is to use a multi-layered approach, to create a combined solution which is stronger and more resilient than its individual components.
This document discusses each of the four key technologies, providing both summary information and the detail behind each capability, its limitations and contributing strengths.
There are four key technologies; monitoring, scanning, configuration auditing and SIEM.
Each technology is architecturally designed for onespecific expertise area. The complementary technologies each have a strength that none of the others can adequately provide.
- Monitoring – Live Activity Detection
- Scanning – Network Discovery
- Configuration Auditing – Granular Accuracy
- SIEM Systems– Collating the Big Picture
Monitoring:Provides a “Live View” of current activity on your security systems. For simplicity, monitoring includes any technology that sits on your network and monitors systems or network activity. This includes email gateways, web filtering, IPS and firewalls. Monitoring systems shine at detecting active attacks or malicious activity.
Scanners: Provide a “Helicopter View” of security systems. They lead with discovering what is on your network and normally provide externally basedsecurity insights via generative security data. (They interrogate, attack or exploit systems to generate security data, which they then analyzeand extrapolate into meaningful results).
Configuration Auditing:Provides a “Granular View” of security systems. They analyzeinternalsystem information already presenton your network devices,refining mass configuration and operating system data into precise risks and remediation actions. Granular “line by line” analysis (delivered at scale) and virtual modelling technology builds human understanding into how device settings interact with each other, giving a more accurate picture of security and compliance risks.
SIEM solutions: Provide the “Executive Summary” of your current security risks by refining key information from different technologies & data sources together into a unified “big picture”.
They are particularly beneficial for large enterprises as they provide a way of viewing security, risk and compliance issues from levels of data that could otherwise be overwhelming.
Future SIEM solutions may provide the interface for autonomous mitigation solutions –
the next generation of network defense systems, predicted to be “self-healing”.
Technology Strengths
Multi-layered defenses leverage technology strengths to create a combined solution, stronger and more resilient than its individual components. To be effective this solution requires two complementary security perspectives – the “helicopter view” produced by scanning technology, balanced by the “granular view” of monitoring and configuration auditing.
Each technology is explained in more detail later in this document.
Disclaimers
As we are discussing the “most secure” networks in the world we will talk about the most applicable technologies in each area. This document will include advancedmonitoring & scanning tools, intelligentconfiguration auditing systems and market leadingSIEM solutions.
For reference there are two types of configuration auditing technologies:
- “find and match” text string analysis (grep) tools and
- solutions with built-in AI / virtual modelling intelligence.
As “grep” configuration auditing is prone to false positives and negatives this document focusses on configuration auditing solutions with enhanced process automation, built-in intelligence engines and natural language processing capabilities.
Not Covered
Although building a secure intelligent architecture is essential, technology alone will not create a secure network – there are other vital components. Industry best practices, user training, behavioural analytics, polices, procedures and compliance standards are not covered in this document, but should be additionally incorporated into your security ecosystem and practices.