Evolution of managed security. Marco Bavazzano’s interview on Cybersecurity360

The progressive digitisation of business has led to a rapid evolution of corporate ICT infrastructures with an increasing use of remote cloud services, distributed infrastructures, edge computing, IoT as well as more applications. Changes that have expanded the attack surfaces for cybercrime and potentially vulnerable assets, requiring continuous updating of defence approaches.

Technology offers valuable help in increasing the security levels of networks and systems, but only when accompanied by effective management. This is a problem for many companies that have staff engaged in several tasks at the same time, making it difficult to ensure the skills and up-to-date training that are needed to handle security issues. The increasing complexity of the equipment and analysis for the detection of new threats and the speed of reaction needed to ensure effective protection make it necessary to call on external resources.

With the help of Axitea CEO Marco Bavazzano, let’s see what the most common shortcomings are in the area of management and what a security provider can offer to be of concrete help.

Technologies to detect attacks in new digital contexts

Being able to rely on threat detection capabilities and quick reactions to cybersecurity events is vital for business continuity, but unfortunately it is much more complex than in the past due to the increasing amount of data and systems to be analysed and protected. A challenge that requires means adapted to the exponential growth of information in which signs of vulnerability must be sought, as well as traces of attempted attacks or other illicit activities. Attacks by cyber criminals are always preceded by scouting activities on systems or networks, the ability to detect them early is the challenge to be overcome in order to be able to raise the most effective defences in time and protect the company.

It is no coincidence that machine learning and artificial intelligence (ML/AI) technologies are becoming increasingly important in the field of security. Modern attack detection platforms cannot do without specific algorithms to recognise the characteristic patterns of breaches and then automation to raise barriers before an attack can do serious damage.

The problems of management and data for decision-making

While the defence of smaller companies can be left to individual technologies, in larger companies where servers, e-commerce services, cloud, agency connections and geographically distributed branches operate, there are many more critical issues. The most relevant one concerns the optimal management of existing security infrastructures, acquired from different suppliers and layered over time. “This is a situation we encounter frequently,” explains Bavazzano, “almost all companies have invested in cybersecurity systems and believe they are reasonably secure because of this. Instead they have serious difficulties when it comes to management, they fail to integrate and correlate events and reports.” A condition that interferes with the ability to decide, based on the company’s business model, whether a given event or set of cascading events are lawful behaviour or not. “Tasks for which ML/AI technologies turn out to be indispensable filters, useful to exclude false positives as much as possible, consolidate more events into timely and circumstantial reports,” Bavazzano points out. “Capabilities that cannot replace expert evaluations, but which greatly reduce the burden and time of decision-making, allowing for timely actions.”

How agnostic and integrated management is achieved

As we have seen, defence against digital threats requires extreme promptness. This is an objective that requires the fine-tuning of management on two levels: “On the first, there is the integration of data coming from different systems so that attacks can be analysed and identified,” explains Bavazzano. On the second, there is the automation that is needed to raise the defences in the shortest possible time.” Correctly managing heterogeneous equipment and data requires technical specialisation as well as knowledge of the risks specific to the business. The management of these aspects through services offered by technology vendors is today limited by the complexity and use of multivendor components.

“Effective protection requires the ability to synergistically manage all the equipment and solutions employed,” explains Bavazzano. “A need that is not clear to everyone and is often not recognised in the tenders of large companies, where we find binding demands for expertise on specific platforms.” Whether security management is done in-house or with external providers, the ability to support heterogeneous environments is relevant. “In our case, having to manage the environments of a large number of customers (over 500 ed.) as a security provider, we developed our own security management framework capable of talking to the most anti-malware and SIEM systems,” Bavazzano points out. “Our platform translates the source vendor’s proprietary information into a single language, harmonises and interprets it for the purpose of both event management and defence measures.”

The latter task is the prerogative of SOAR (security orchestration, automation and response) technologies whose capabilities enable rapid reactions in the order of seconds.

The components that cannot be missing in the services of a security provider

The ability to integrate data and actions on different security systems allows companies to derive more value from existing equipment. “An important aspect when choosing a security provider is the ability to make the best use of existing equipment, while safeguarding investments,” explains Bavazzano.

The provider must also take its share of responsibility for protection, offer guarantees on intervention times and give the customer visibility of what is happening on the company site.

“Thanks to the use of automation, we can precisely calculate alarm and intervention times and express them in the form of SLAs,” Bavazzano explains. We can give the customer access to our internal dashboard with data on problem acknowledgements, false alarms and interventions.” One important aspect concerns incident management, e.g. blocking attack flows with new rules on network equipment. “It is important for the service provider to report back to the customer about what has happened, so that the company can cover any gaps in the infrastructure, decide and plan any upgrades according to budgets.”

Vulnerability assessment and penetration testing, why carry them out continuously

A provider must offer vulnerability assessment and penetration testing (VA and PT) services alongside security management.

“The security of infrastructures very often depends on the ability to understand what is missing,” explains Bavazzano, “classifying the gaps and risks in order to be able to suggest the most appropriate changes.” VA and PT are becoming more and more important today, to the point where they have to be integrated within the day-to-day management, at least for basic components. “These are no longer activities to be carried out occasionally or every six months,” says Bavazzano. “Performing them on an ongoing basis makes it possible to know the weak points of the infrastructure and make countermeasures more effective. That is why we now prefer to talk about vulnerability management with our customers rather than vulnerability assessment.” The exposure of systems and networks must be continuously monitored to be able to defend against attacks. “Here again, technology and automation help, but the contribution of the SOC specialists, operating 24 hours a day, is essential to ensure effective protection. And this, together with the ability to transfer the experience to the customer, remains a fundamental contribution that a managed security service provider must be able to make,” Bavazzano concludes.

Editorial contribution developed in cooperation with Cybersecurity360-Axicom-Axitea