What are the top challenges of security operations center (SOC) teams? Keeping up with the volume of security alerts as more devices are added to the network, and a lack of integration between security tools, which generate their own incidents but don’t always share information. This lack of interoperability and inability to share event data results in network and security tools working in silos with no context.
In contrast, if a network engineer/SOC team member is able to see all the devices in a unified interface, all of that information provides context, enabling him/her to respond more quickly to security and network changes. The enormous value derived from alert prioritization and shorter incident response times is the reason why so many organizations are investing heavily in technologies to automate security operations and threat detection, and creating their own security operations technology by integrating multiple tools.
To freely exchange information between tools from different vendors and shorten incident response time requires a “Switzerland” solution; that is, an overarching solution that has no specific vendor alliances. The Infoblox Ecosystem license is that neutral party. It allows enterprises to interconnect different networks and security tools to enable visibility into the entire network, break silos between teams, automate processes, reduce time to containment and improve ROI of existing IT and security investments.
Breaking down borders between network and security systems
Security and network operations teams operate as separate “countries,” each with its own systems and priorities. The network team works to ensure network availability, whereas the security team is focused on risk mitigation. Security teams manage and maintain policies on multiple dedicated security products and tools, including firewalls, endpoints, proxies, sandboxes, etc. Network teams are focused on network infrastructure systems. Both teams have independent logging systems that don’t share information with one another. In addition, security teams have data from Windows event logs, authentication logs, applications logs, firewall and proxy logs.
Let’s look at how a typical incident situation at many companies plays out. When a malicious attack occurs, the security engineer goes to SIEM to determine the impact on the network. Since there is no network context in SIEM, he/she would need to reach out to his network counterpart, who may not be immediately available. Without his/her network counterpart, the security engineer then might need to sift through a large volume of DNS logs and correlate that data with SIEM to figure out whether the network is impacted. Even working with the network engineer, it would probably require some time to collaborate and correlate the data between systems to determine the impact. This typical scenario results in delays in responding to threats, which must be contained as soon as possible.
Operating in silos makes security and incident response efforts unnecessarily difficult due to manual, inefficient, and latent data sharing – and ultimately is a waste of resources. Which is why network and security teams need a better way to share information for the incident response.
In a more interoperable and an ideal world, the engineer would automatically receive the DNS data within SIEM, enabling faster threat detection. The security engineer could then respond to the threat immediately, without needing the network team, and ensure the malicious attack did not spread to the entire network.
Infoblox: We complete, not compete
As “Switzerland,” Infoblox provides the neutral party with open APIs (both inbound and outbound) and out-of-the-box, vendor agnostic integrations for cloud and next-gen environments. This single-pane-of-glass view – combined with up-to-date threat intelligence – enables companies to break data silos, achieve near real-time visibility, and gain actionable network intelligence into an enterprise’s ever-changing infrastructure. Infoblox integrates with a range of security and network systems and tools, including advanced threat detection (ATD), threat intelligence platforms (TIP), SIEM, vulnerability management, NAC solutions, next-generation endpoint security, VMware, Cisco, Microsoft, Nokia, AWS, Azure, HP Enterprise and more.
Security integration and automation is now a requirement for enterprises, as the volume of security alerts will only increase. Infoblox is a smart way to more effectively leverage all of the tools currently in your security ecosystem to derive the context SOC teams need to keep your networks and data protected.
 ESG research report on Security Operations Challenges, Priorities and Strategies, 2017.