No cloud API is an island
The evolution of cloud services has coincided with the development of advanced Application Programming Interfaces (APIs) that allow developers to link cloud computing services together, making its data and functionality available for use by other programs. Increasingly, these APIs are also being used for security orchestration and automation, providing critical data, and grain control to organizations managing complex cloud apps, and cloud-based network infrastructure.
The better a cloud app connects and interacts, the easier it will be for security teams to have the visibility, data, and controls they need.
LogicHub MDR Jump Start for AWS
The perimeter mindset is too simplistic
However, as APIs become more security -centric, it’s frustrating to see how primitive APIs are for many legacy security tools. Many common security tools, such as firewalls, IPS, WAF, and SIEM, that are widely deployed today, have been developed with the perimeter mindset – “avoid bad people, and keep the good stuff.”
This fortress mentality also means that interaction with other tools is secondary, and even considered a security liability. But in the 20+ years that many of these tools have existed, the world of security has dramatically changed.
What legacy security tools go wrong
Many of these legacy tools are designed to check a fraction of security, make decisions through hard-wired rules, and deliver information in the form of alerts. It assumes several things that over time have proven problematic:
- The security tool knows.Surely a good firewall, with the right rules can make good enough decisions on what is good or bad. No – not even close.
- They know the context of what is happening.Like a police officer at the mall, these tools keep an eye on traffic, and try to guess what people are doing and why. Sorry, Paul Blart-profiling doesn’t work.
- They can keep up with the amount of threat.Honestly, they can… if you turn off detection. But if you really want to be detected at you answer, you have no luck.
It’s probably unfair to ask legacy tools to keep up with threats that weren’t thought of when they were designed. In fact, many of these tools detect traffic and collect data that can provide valuable context to more sophisticated, modern analysis systems. But it will require them to communicate properly and provide deep and granular APIs.
Clearly, APIs were not a priority when we had different network security islands. Each tool simply has to do its job, deliver alerts, take the occasional rule tune-up, save logs, and rely on an army of security analysts to pick pieces and find out what’s going on.
More (contextualized) data is needed
But in today’s reality, where threats are rampant and security experts are hard to find, data sharing is all critical and contextual. To keep up with billions of events requires AI systems that can handle so much data, constantly learn what is good, bad, or suspicious, understand “normal” behavior by establishing baselines on millions of data points, and ultimately automate routine decision-making.
To do this requires more data – not less, and that’s where advanced APIs come into play. For example, a modern threat will come through multiple network channels, and cloud applications. Indications of phishing can appear not just in email, but on social platforms, financial apps, or even CRM systems. A newly discovered vulnerability may be critical for some unpatched systems, but not a concern for others, and all of this critical information may be in your ITSM system – often not even in the loop of security.
Osterman Research explored why organizations that receive MDR services early report a higher security posture in multiple dimensions in
The Haste in MDR: Achieving the Promise of a Higher Security Posture.
Identifying weak links in the legacy security chain
Innovative security tools, with the help of powerful APIs, can check all channels, look for patterns in domains, aggregate excess noise, and take actions to block threats, mag file ITSM tickets, and alert stakeholders through any communication channel.
Ironically, the weak link in these situations are the limited APIs from legacy security stalwarts such as firewalls and SIEM. Although they are in a prime position to see a lot of security data, and more advanced cross-channel tools can find important clues and context, their APIs are often too primitive to deliver relevant data accurately. fast.
The good news is that modern cloud APIs, from AWS, Azure, ServiceNow, Salesforce, and many other platforms are leveraging the new security approach, and it’s natural to understand that sharing more data, more context, and more grain control can significantly improve security results. , and make these cloud applications more secure than their legacy network counterparts.
You don’t have to remove legacy security tools, but when you review them, take a good look at their APIs and compare them to modern cloud APIs. If they’re not playing well with others, it’s probably time to pull the plug.
The Definitive MDR Buyer’s Guide: Everything You Need to Know to Choose the Right Managed Identification and Response Service
LogicHub uses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challengessa large teams that automate SOCsLogicHub makes advanced detection and response easy and effective for everyone.
*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® written by Willy Leichter. Read the original post at: https://www.logichub.com/blog/security-tools-need-to-get-with-the-api-program