Jack Danahy, SVP, Strategy and Security Chief Evangelist, Alert Logic
In planning your security and later managing it, nothing is more important to a meaningful security outcome than visibility. When an experienced CISO starts her job, the first questions are all about the environment, the business priorities, the organization, and the existing portfolio. When an analyst is deploying protection or detection technology, they first need to find a way to map out all of the systems, services, and connections that comprise the organization’s IT infrastructure. This is because blindspots and gaps in coverage are where breaches find their initial footing. Once a trusted resource is corrupted, spread and damage follow.
In Managed Detection and Response (MDR) this is especially true. When an MDR provider is minimizing the likelihood of a successful attack, they can only offer alerts and responses to new threats for systems and services that they can see. They can only minimize the damage from successful attacks when they are able to monitor the behavior of users and systems. That’s why visibility, specifically, the capability to “Provide 24/7 visibility and cover all assets in an organization” is the second tenet of effective MDR, following the definition of the value of MDR itself.
You’ll notice that time is also a characteristic of visibility. Being able to see every asset is critical, but so is having the capability to see it at all times. Security, unlike most business functions, does not follow a fixed schedule. The pervasive quality of internetworking dictates security that is continuously watching, as a worldwide and automated attacker population is unlikely to wait for regular business hours to attack. As a result, visibility is both comprehensive and continuous.
The benefits of all of this effort and investment in visibility are substantial. Let’s talk about three:
- Completeness and Consistency
Cybersecurity is always measured along a continuum, from less secure to more secure. There are no absolutes in these measurements, as each organization’s prioritization of different types of security is derived from the nature of their operation. As a result, the ongoing assessment of security is relative to the changing environment, threats, and to comparisons with past performance. Full visibility is the means through which a baseline can be delivered. Regular reassessments can then operate from a consistent set of assets and measurements, creating a credible narrative around security.
With so much variability in organizational infrastructure, you need full visibility to be able to map and understand the nuances of the organization being secured. The complexities of resource connections, user authorization, or typical and atypical behavior are only comprehensible through complete visibility of the assets and traffic in the environment. This level of understanding provides insights for optimization, for creating logical and physical boundaries for connectivity, and for better managing the messaging and traffic loads that are feeding a security pipeline.
- Customized Response
Ultimately, all of this visibility and understanding enriches organizational response and the “R” component of MDR. Response is, for many, the defining MDR security outcome. Whether prioritizing the remediation of an aging unpatchable server or containing the spread of a laterally spreading piece of malware, visibility provides the information necessary to create and execute a measured response to both threats and attacks in process. Tenet 5 of the MDR Manifesto talks about responses that “reflect business and attack context” and much of that context, particularly around spread and damage, is only available with full visibility.
You can see why visibility is critical. Whether assets are user endpoints, AWS instances, hosted servers, or cloud-based services, they need to be seen, cataloged, monitored, and understood. With visibility comes the power to understand and manage security planning and responses.
A business mantra is “What you can’t measure, you can’t manage”. In security, the corollary is “What you can’t see, you can’t secure”. It’s a driver that leads organizations to choose MDR because with MDR, visibility comes standard, as do the benefits it brings.
Jack Danahy is SVP, Strategy and Security and Chief Evangelist at Alert Logic, where he applies nearly 30 years of security experience to the challenge of managed detection and response (MDR). He is an innovative security leader with proven success creating, delivering, and evangelizing new security approaches. He has founded three successful security companies, most recently the endpoint and behavioral analytics firm Barkly, acquired by Alert Logic in 2019. In 1999, Jack founded Qiave Technologies (acquired by WatchGuard Technologies in 2000) and in 2003, he started application security pioneer Ounce Labs (acquired by IBM in 2009). At IBM, Danahy was Director for Advanced Security, and also led the delivery of security services for IBM across North America. Jack holds a dozen security patents and is a frequent writer and speaker on a wide range of security topics.