Top 5 security tools and services for 360° coverage
It is overwhelming to see the number of Security products and services that are available in the market and this article seeks to classify and lay them out for easy consumptions by targetted audience.
A recent visit to BlackHat Asia conference in Singapore paved way as a one stop place to interact face to face with industry veterans and experience live demos.
In this article we will be focusing on five security services that are must have for applications in Production. We will not be covering DevSecOps tools and processes, this is a good article to understand DevSecOps toolchain.
Identity & Access Management (IAM)
IAM in simple terms deals with creating and managing users and what do they have access too. That was a startup level explanation, when we go to enterprises, IAM deals with using a Directory server to house identities i.e anyone from a humans, groups of them and system accounts, all nouns in a system have identities here. Then comes identity governance and administration which covers handling of hybrid environments, Single Sign On, reporting and auditing of IAM.
Another major service part of this pillar is about managing privilege access to systems. This spans from elevated access, password management, remote access and SSL key management. There are products that provide ways to have granular access control, composite controls and automation around how privileges are dished out and revoked.
Products in this space offer one or more of below services
- Active directory management
- Identity governance and administration
- Privileged Access Management
Security Products that offer IAM services : Manage Engine, ARCON
Security Information & Event Management (SIEM)
With both cloud and on-premise installs, there is huge amount of logs, metrics and machine data that gets generated, this information provide valuable information about suspicious activity and anomalies. The works of SIEM is to provide an easy mechanism to consume this data and detect threats from it.
SIEM services offer
- Integrate and consume logs from Cloud native service logs, Audit trails, Operating system logs, firewall logs, network/vpc logs, application server logs, etc
- Detect threats by using a combination of Machine Learning and static detection rules that are kept up to date.
- Consume threat intel feeds and use it identify source and destination of malicious activity.
- Collect forensic evidence when a threat has been identified.
- Perform threat hunting.
Products that offer SIEM: Elastic SIEM, Rapid7 InsightIDR
Endpoint Management & Continuous Security Posture Scan
We have all experience endpoint protection, it is as simple as the anti-virus software protecting our desktop, to Web Application firewalls, DDoS protection tools that ensure that endpoints (read as ports, url, hosts) that are open to internet are secured at all times.
The newest kids in the block is Continuous Security Posture scans — these are services that configured with you domain name and they go about continuously scanning services exposed on domain name and sub-domains for security posture. For example, when a domain like www.acme.com is configured, the scan ensure that if an internal api is exposed by mistake at www.acme.com/admin/api is automatically identified and alerted. Some services go beyond security services and offer brand management to identify if there any firms that are impersonating your brand.
Services offered include
- Dark Web Monitoring
- Both Data and Credential Leaks
- Brand / VIP / Executive impersonation
- Multiple Language support (human languages like English, French, Tamil, etc)
- Handle multiple industry domains
- Patch management
- Data Loss Prevention
Products that provide Endpoint Protection and Continuous security posture monitoring: Rapid7, Informer.
Security Orchestration, Automation and Response (SOAR)
SOAR integrates with a SIEM and performs automated response for security events. SOAR address a common problem faced by most firms, after installing an endpoint security, SIEM or other security systems, these systems create alerts. That is when they realise that the firm doesn’t have skilled employees to handle these alerts and identified threats. This were SOAR steps in and provides pre-built and automated responses that can be fired at will.
Services Offered by SOAR
- Modular visualisation layer
- Response Workflow builder
- Simple integration to new systems
- Robust automation engine
Products: Swimlane
Threat Intel
By centralising and continuously updating threat intelligence , threat intel feeds enable security operations and incidence response teams to identify relevant and new threats. An example for Threat intel ranges from malicious IP Address, malicious domains, recent vulnerability disclosures, zero day attacks, etc
Threat Intel feeds provide one or more of below services
- Threat description and detection signatures
- Threat risk scores
- Integrate directly into SIEM and/or SOAR
Products: Recorded Future, CrowdSec
The security service is constantly changing and upgrading with new products and tools. Bucketing them into one of the five areas will help identify duplication and ensure 360-degree coverage.
Case Study: SOC2-compliant Elastic security SIEM
