How to Deliver a Single Pane of Glass in Cybersecurity

This post has been originally featured on CRFT Blog: https://crft.app/blog/how-to-deliver-a-single-pane-of-glass-in-cybersecurity/.

The idea of a 'single pane of glass,' or SPOG for short, has been just as appealing to cybersecurity teams as it has been elusive, and despite security vendor claims, largely remains a myth. An intelligent automation layer can help security teams to get half-way there, by bringing monitoring, analysis, and response capabilities to security operations.

Back in the Day

It certainly sounded enticing — an idea of a central management 'console' to monitor, analyze, and respond to issues in your environment. Having begun as a critical concept for network operation centers (NOCs), it had eventually spread to most aspects of IT, including security operations.

Of course, in the early days the networks were simpler, users interacted directly with the systems, and organizations frequently relied on a single network vendor. Over time, business systems and the environments supporting them became more sophisticated. Eventually, we began understanding and managing our environments as a stack:

  • network

  • system

  • data

  • application

  • user management

As Information Security slowly rose to prominence and became its own vertical, SOCs (security operations centers) became as important as NOCs. With so many vendors, frameworks, and standards across the enterprise, each team in IT relied on their own unique pane of glass. For cybersecurity teams, the idea of centralized management remained unattainable due to the scope and complexity of the challenges specific to InfoSec.

With over 1200 security vendors on the market today, and the average of 3 products per vendor, it's nearly impossible to build a fitting unified security 'console' without extensive development efforts.

A single glass of pain.

Let's Cheat by Using Logs

A unifying solution came from a somewhat unexpected place. Every system and every application has one thing in common — they all produce logs. Timestamped, and frequently preceded by a syslog header, logs are easy to index and search. Because of this, log records quickly became the single universal data standard that supported everyday troubleshooting needs and is the reason we are so addicted to logs in cybersecurity today.

Despite the benefits, the log records and audit traces have been stored and managed separately, typically local to the host which produced them. It took InfoSec teams to lead the way for unified log management. Scalable time-series backends like Splunk and Elasticsearch made it extremely easy to collect and analyze logs from any solution or application, and as a result, organizations began to realize that the same systems produce data beneficial to multiple teams, including security. Thus Splunk and Elastic applications function as a de-facto single pane of glass for many environments today.

However, as useful as logs are, they only paint half the picture. Conceptually, they represent individual events, occurrences in time. What log records don't describe is the state. Sometimes referred to as "context" or "entities", critical security objects also include:

  • configurations,

  • relationships,

  • group memberships,

  • privileges, and so forth.

A vulnerable configuration is a perfect example of something that will not be found in logs until it is taken advantage of by an attacker.

Other Attempts at Single Pane

SIEM

SIEM solutions (security information and event management) tried to provide context by focusing on "assets" (hosts), and then on "identity" (related user account information). Unfortunately, SIEMs like HP ArcSight or IBM QRadar rely on relational databases to store events, and their limitations make it difficult to scale entity data models.

UEBA

On the coattails of SIEM emerged UEBA (user entity and behavior analytics) which married user modeling and ML-based anomaly detection on top of normalized event data. Still, UEBA solutions (Securonix, Exabeam) have failed to extend visibility to configurations, vulnerabilities, security standards, and so forth. Eventually, UEBA tools backed into SIEM feature set, and just like SIEMs, they pass the burden of remediation onto the security practitioner.

SOAR

Eventually, the gap in the automation of security tasks has led to the rise of a new vertical, SOAR (security orchestration, automation, and response). SOAR platforms like Phantom (Splunk) or Demisto (Palo Alto Networks) have largely evolved from an idea of a security analyst workbench. Most of these tools don’t focus on describing the managed environment at all and focus on workflow optimization instead. Here, management and enrichment of security alerts take precedence over intuitive automation, which feels like a supplemental functionality in SOAR.

According to Gartner's 'Market Guide for Security Orchestration, Automation and Response Solutions':

SOAR solutions are not “plug-and-play.” Even though solutions have a library of out-of-the-box use cases and integrations, buyers are reporting multiweek professional services engagements to implement their initial use cases, as every organization’s processes and technologies deployed are different.

Ultimately, neither UEBA nor SOAR had been able to replace scalable unified log management applications as a primary investigation workbench. Ironically, this led the cybersecurity teams to maintain multiple 'single panes of glass.'

Someone Else’s Computer

The rise of cloud computing further complicated the goal of centralized cybersecurity management. As thoroughly discussed by Alex Dow in our blog, cloud environments are ephemeral (i.e. continually changing) by design.

Old shortcuts are ineffective. For example, teams that have relied on IP addresses as a primary identification of their systems have quickly realized that "IPs are mostly useless in the cloud." Another classic assumption that every host can be associated with a person, have also shown to be deeply flawed. In the cloud, the communications are almost entirely machine-to-machine (M2M).

To remain relevant, new security information models need to take into consideration concepts like cloud services, containers, clusters, and key-based access and must avoid making assumptions about the environment.

Automation to the Rescue

For all practical purposes, an idea of a single pane of glass covering all aspects of daily cybersecurity management is still out of reach. In order to make it possible, a hypothetical 'cyber' console would need to support the following key capabilities:

  • A comprehensive inventory of security-relevant business-critical entities: from applications and infrastructure supporting them, to vulnerabilities and risks found throughout the stack.

  • Access to detection events and supporting telemetry, including network metadata, system and application logs.

  • A flexible, flow-driven orchestration layer, to leverage deployed security and infrastructure tools.

  • An ability to discover, validate, and remediate security risks, misconfigurations, and other actionable items, found in static (context) and dynamic (event) data.

The democratization of automation by orchestrating deployed solutions is especially important. We must not treat cybersecurity as a discipline separate from business, and most IT teams are already responsible for some aspects of security. Custom engineering efforts don't scale well for enterprise, and so the ability to easily implement automation should be accessible to the majority of IT users.

The above approach can solve a wide variety of difficult challenges in SPOG:

  • Challenges around data collection and keeping current of critical inventories.

  • Management of security configurations, particularly in public cloud.

  • Detection of risks and threats.

  • Automation of incident investigations and their containment.

By residing at the intersection of information and process, an intelligent automation layer can deliver monitoring, analysis, and response capabilities to the modern operations center.

Final Thoughts

Customers are inundated with cybersecurity vendors’ promises of a single pane of glass for cybersecurity. It’s unfortunate because the inability to deliver a reliable working solution hurts the customers as well as the security industry at large. In order to meet this need, a cybersecurity management “console” must leverage a combination of scalable log ingestion, effective entity modeling, and accessible automation capabilities.