The evolution of the cybersecurity industry is a response to the kind of cyberattacks businesses have had. Attacks on networks gave rise to Firewall, attacks on endpoints and users gave rise to Endpoint Security; and malicious activities or policy violations gave rise to Intrusion Prevention systems and SIEMs. The list is long, but every new move by the cybersecurity industry was a response to a new attack vector. These response-based point solutions are good to tackle one sided attack. However, things go out of hand when a business is attacked by a new-age coordinated cyberattack that comprises both human and automation processes. New-age cyberattacks are multi-dimensional in nature and they use multiple methods to exploit vulnerabilities and weaknesses. SIEM,SOAR and EDR - will fall short in protecting the network , if not integrated and do not exchange cyber threat intelligence.
Security Information and Event Management(SIEM) is an excellent tool that comprises Analysis and Correlation Engine, and it helps to provide detailed observation of an attack. However, if SIEM is not able to communicate to SOAR (Security Orchestration, Automation and Response), SOAR cannot fully orient an attack through its automation playbooks and various types of automations.
EndPoint Detection and Response (EDR) can take decisions like Endpoint Isolation, Executable Quarantine, Registry Add/Remove/Modification etc. and can take actions like File Add/ Remove Modification, Shell/CMD command Execution, Process and Cross process Executions, etc. only if it has cyber threat intelligence from SIEM and SOAR. The real solution that can combat a coordinated cyberattack, is a combination of these point solutions, their integration that enables them to share cyber threat intelligence and a cybersecurity strategy that is an intuitive response to cybercriminal behavior.
Vendors talk about such integration, but they are limited to only their solutions
Nearly all cybersecurity vendors today talk about their integrated platform wherein their security solutions work as a system and share threat intelligence. However, what they don’t say clearly is, their cybersecurity system works only among their point solutions. Real integration and cyber threat intelligence sharing can only happen if the cybersecurity system is vendor agnostic and all solutions talk to each other irrespective of the vendors that created them. Imagine an organization having endpoints from one vendor and firewall from another. In such a scenario, either of the vendors would want the organization to replace their solutions to make their cybersecurity system work. This is not a feasible solution from a cost and time point of view for the organization.
An MSSP can bring real integration of security products
Due to the kind of their services like Offensive Security, Red Team, Breach and Attack Simulation, Automation, etc.- MSSPS have exposure of vulnerabilities, attack methods, hacker behavior, user weakness, etc. and they know the kind of integrated cyber threat intelligence sharing is required to combat coordinated attacks.
By taking a leap of faith if any MSSP can do a forward integration and can create their own security products that are integrated and vendor agnostic, it will be great news for the entire industry, and it will solve much bigger problems.
Such integrated solutions will come from years of experience of understanding cybersecurity solutions, hacker behavior, user behavior and business environment and ecosystem. MSSPs are a part of the entire cybersecurity journey of organizations that is like a marathon and not a sprint. It is like digital warfare where organizations must beat cybercriminals every time and in every way. Only products created by an MSSP can be a real ally to organizations to win this digital warfare.