Interview with Denny LeCompte, Senior Vice President of Products at AlienVault
AlienVault likes to say that the security industry has continued to follow several paths that have resulted in little return. What exactly do you mean by that?
DL: The problem facing security professionals today is that they are tasked with securing complex environments against complex threats. And what does the security industry offer them as a solution? More complexity that comes in the form of multiple point solutions.
Here’s a high-level look at the typical lifecycle we see today. The bad guys invent a new class of attacks. Security vendors leap into action and create a new product to prevent this form of attack. Security professionals then buy and deploy the solution, learn how to use it, and try to integrate it with their existing tools. And then, when that class of attacks becomes less effective, the bad guys invent something new, and the cycle repeats.
As a result of this endless cycle, security professionals might end up with a dozen or more security tools to monitor, each of which has its own complexities, and none of which actually work together. Even if you’ve got the budget to buy multiple solutions and hire a huge team to monitor them, managing a situation like this is both tough and time consuming. Companies that don’t have the available resources to support this approach to security are left on the outside looking in. In response, many smaller security teams end up focusing solely on implementing basic prevention and protection solutions, while keeping their fingers crossed that nothing bad will happen.
It’s time that the security industry, along with IT and business professionals, rethink their basic approach to security. The best way for companies to manage advanced threats amidst chaotic and complex environments is to embrace the fact that, as long as they are operating, they will never be without risk. They need to stop playing outdated defensive games, like throwing more technology onto the stack and hoping for the best, and instead implement a unified approach that simplifies security and allows them to focus on what they do have control over: effective threat detection and incident response.
If a company has a good firewall and solid endpoint protection, why would they need anything else?
DL: Organizations must immediately acknowledge the fact that it’s no longer a question of if their systems will be breached, but when. In this new cybersecurity landscape, the idea that a company can get by with just a firewall and antivirus solution has been thoroughly discredited. The reality is that implementing only basic perimeter security will not be enough to keep the bad guys out. Creative cybercriminals are slipping past corporate perimeters in a variety of different ways, and if IT departments focus solely on prevention and protection, then they often don’t have the tools in place to realize in a timely manner that they’ve been breached.
Living in a state of blissful ignorance is no longer a choice. Everyone is now a target – even the smallest of companies. The bad guys have proliferated, and their methods are highly scalable. Choosing to focus your resources on threat detection and incident response (rather than protection and preventative measures) is the best way to mitigate risk in today’s world of advanced and ever-changing threats. If you accept the fact that you will be hacked, then you can put the right tools in place to help you discover a breach as soon as it happens, respond immediately to mitigate it and quickly repair any damage.
AlienVault has had a Unified Security Management (USM) on-premises platform for years and just took it to the cloud with USM Anywhere. Why is a unified security platform so important?
DL: As we discussed earlier, if you have a point product for every type of threat, you’ll quickly find yourself drowning in ineffective, expensive and difficult-to-monitor solutions. In contrast, if companies adopt a unified approach to security management, they can greatly simplify the process, making comprehensive security more attainable and more affordable at the same time.
Our unique Unified Security Management approach provides a collection of essential security tools – asset discovery, vulnerability assessment, intrusion detection, behavior monitoring and log management, plus integrated threat intelligence – that work together while tackling different aspects of the security challenge. By combining security essentials into an integrated solution that streamlines workflows and provides users with a single interface to monitor all infrastructure, AlienVault’s unified approach makes it possible for small, and even one-person, teams to detect and respond to threats – even in the most complex networks.
Can you tell us more about USM Anywhere?
DL: USM Anywhere was built as a cloud-native security monitoring platform that solves the fundamental security challenges we’ve been discussing – delivering effective threat detection and incident response for all environments. Like our original USM product (now called USM Appliance), USM Anywhere takes a unified approach to security. At a high-level, it’s the first all-in-one Software-as-a-Service (SaaS) security monitoring platform that provides centralized threat detection, incident response and compliance management of cloud, hybrid cloud and on-premises environments from a single cloud-based console. It significantly simplifies security and reduces deployment time, so companies of all sizes can go from installation to first insight within minutes. And, it provides advanced automated response orchestration with external security tools and applications, making it easier for IT teams to respond quickly and efficiently to identified threats.
Through lightweight sensors deployed in the customer’s various environments, USM Anywhere discovers assets; monitors for intrusions and suspicious user behavior; collects, normalizes and consolidates logs; and detects vulnerabilities. As data is collected, the sensors send it to our system-secure AlienVault cloud to be analyzed and correlated. Our cloud-based system is fully informed by AlienVault’s threat intelligence, an up-to-date collection of security knowledge assembled by our in-house security research team.
What’s so exciting about this new platform is that it gives users a single view of their on-premises and cloud environments. So many legacy solutions force users to run two separate products, one for each environment, but separate systems make the job of security professionals much more difficult – not to mention they provide holes for the bad guys to slip through.
USM Anywhere offers AlienApps to extend its essential capabilities to leading security solutions. Why is this so important?
DL: The threat landscape is constantly evolving. With that grim knowledge in mind, we developed AlienApps as a way of fighting back. USM Anywhere employs a very modular design, and many of our core functions are built as pluggable AlienApps. Essentially, AlienApps are out-of-the-box integrations with leading security tools such as Microsoft Office 365, Cisco Umbrella and McAfee ePO. With the ability to perform data extraction, data visualization and security orchestration of third-party security applications and tools directly from within USM Anywhere, AlienApps enable users to leverage the USM Anywhere platform as a single point of security monitoring for their entire IT landscape.
For instance, the Amazon Web Services (AWS) sensor works because it has the AWS AlienApp plugged into it. The AWS AlienApp contains in-depth knowledge about this specific environment, which gives it the ability to identify events and detect threats that are unique to AWS.
Additionally, AlienApps don’t just provide a way to deliver security essentials; they also offer a way for AlienVault and its partners to extend the platform beyond threat detection. We envision new AlienApps that will also integrate those “prevent and protect” technologies into our Unified Security Platform. For example, an AlienApp could be designed to pull data from an endpoint protection agent, but could also take specific actions (e.g., pull an infected endpoint off the network) if a threat is detected elsewhere in the system.
One of our first partner-focused AlienApps works with Cisco Umbrella, the company’s secure internet gateway. Now, when USM Anywhere detects a bad IP address using Open Threat Exchange data (see more below), it can reach out to Cisco Umbrella and automatically add that IP address to its block list. Most recently, we announced an AlienApp for Office 365, which allows users to monitor activity in the 365 suite of cloud applications, including Exchange, SharePoint, OneDrive and Azure Active Directory.
Why should companies consider a SaaS solution? What are the advantages?
DL: One of the great advantages of the USM approach is that it’s far simpler than managing multiple point solutions. For security teams with limited time and staff, it’s hard to over-emphasize the importance of this kind of comprehensive simplicity. Managing a raft of tools is a difficult, if not impossible, task, and we’ve learned from our 5000+ customers over the years that security professionals want to manage the actual security of their environments, not their security products. With SaaS, we handle pretty much everything, from monitoring, to performing upgrades, to managing the volumes of logs in both “hot” and “cold” storage.
In addition, we can deliver these services at a better cost than our customers can on their own. We benefit from cost efficiencies because we’re managing the infrastructure of hundreds and, before long, thousands of customers. At this scale, we hire developers to automate everything, and as we scale up, we get volume discounts for our cloud infrastructure. So, the economics just don’t make sense for any individual company to handle all of these aspects on their own.
Additionally, we receive these benefits without being “multi-tenant.” Because we deal with security information, we do not mix different customers’ data into a single data store. We always keep everything separate. In other words, we’re single-tenant, but highly federated.
We’re hearing more and more about threat intelligence, and it’s a key component of USM Anywhere. Can you explain what it is, and how it helps organizations with threat detection and incident response?
DL: Threat intelligence is fundamental to anyone trying to detect and respond to attacks. For too long, threat data was only available to the largest of enterprises that had the budget to access it. AlienVault believes that threat intelligence should be available to the masses at no cost.
Launched in 2012, our Open Threat Exchange (OTX) is the world’s largest crowd-sourced threat repository and threat-sharing community. It features more than 53,000 participants in 140 countries, who contribute more than 10 million threat indicators daily. OTX provides organizations of all sizes with immediate, universal access to real-time threat intelligence information – a requirement for effective threat detection and response today. OTX feeds into USM Anywhere, so companies can use threat data in context.
How is AlienVault different from other security vendors?
DL: AlienVault has been rethinking security for years. Instead of making security a costly, time-consuming and complicated issue by adding more complexity to an organization’s environment, AlienVault chose to focus on a single, straightforward, unified approach. This approach enables us to meet the needs of resource-constrained organizations by providing them with the same threat detection and incident response capabilities available to Fortune 500 companies but without the headaches and hassles of deploying and integrating multiple products. Additionally, as mentioned, we’ve been advocating for open threat intelligence for years. Our core philosophy is that a better security posture for anyone is a better security posture for everyone.
We firmly believe that the combination of unified security management and open threat intelligence uniquely positions us to offer better, more comprehensive threat detection and incident response to companies of all sizes.