Jonathan Fischbein is the Chief Information Security Officer at Check Point Software Technologies.
In Q3 2024, organizations experienced an average of 1,876 cyberattacks, a 75% increase year over year. Every minute of every day, bad actors are poking and prodding networks until they find one small crack in cybersecurity defenses to exploit. If it weren’t for their nefarious intentions, their persistence and creativity would be admirable. But organizations are not defenseless. They invest heavily in innovative cybersecurity solutions and highly skilled security operations specialists. The cybersecurity industry employs the brightest minds and constantly releases innovative new tools.
How is it that so many organizations remain vulnerable despite all this innovation and investment? One main reason is that while cybercriminals attack across multiple vectors, security solutions operate in isolated siloes, never sharing data between them. This siloed approach creates security gaps that leave doors open for attackers to find and exploit.
The Security Operations Challenge
Cybercriminals constantly bombard the defenses of security operation centers (SOCs) around the world, trying to find a way to breach organizations. SOC teams are on a continual war footing, trying to stem the tide of attacks by diligently monitoring a multitude of systems and hunting for clues that an attacker is lurking. Assuming a SOC is well-equipped and well-staffed, what is the greatest remaining vulnerability? Is it poorly configured firewalls, mobile endpoints connecting to unsecured Wi-Fi, web applications with open backdoors or phishing attacks? Or is it forgotten assets and shadow IT? Each one of these possible attack vectors presents a clear and present danger. One of the single greatest vulnerabilities that SOCs face is that each security tool deployed works as an isolated silo, never effectively sharing information. This siloed security approach creates dangerous blind spots.
Stealth Multi-Sector Attacks
We no longer live in a world where criminals concentrate on one line of attack. This is the age of multi-vector attacks, where perpetrators launch simultaneous, full-spectrum assaults on organizations’ defenses. Multi-vector attacks are highly complex and very challenging to predict. Persistent attackers will attempt to gain access via multiple vectors until they succeed.
The security tools are working in isolated silos, each looking after the specific type of threats they were developed to defend against. This is the fatal problem of the siloed security environment—vital connections and correlations that could identify a complex attack often are not made in time.
Like Blind Men Examining A Tiger
This situation brings to mind the parable of the elephant and the blind men, where each examines an individual part of the animal but comes to different—and entirely wrong—conclusions as to what an elephant is. If we were to update that parable, our blindfolded security analysts might examine a tiger, but by only touching its tail, belly and ears conclude that it is harmless—having completely missed its teeth and claws.
This is what working in a siloed security environment is like—a narrowed focus leading to limited visibility, which can blind the SOC to the bigger picture of a multi-vector attack in progress. What may seem like a low-severity event by one or more security tools, could be part of something much more dangerous—but without proper collaboration, and the ability to correlate what is happening in the rest of the network, there is no way to connect the dots and detect that together they signal a high severity security event.
Collaborate To See The Big Picture
Many modern SOCs have integrated SIEM (security information and event management) and SOAR (security orchestration, automation and response) solutions. SIEM systems collect and analyze logs from various digital assets, correlating data to generate alerts based on predefined rules. However, the sheer volume of alerts often leads to “alert fatigue.”
To address this, SOAR systems automate responses to common predefined alerts, significantly reducing the workload on SOC teams by handling incidents within minutes or seconds, compared to the hours or days it might take human analysts. SIEM and SOAR aim to alleviate the chronic issue of alert fatigue while ensuring rapid and efficient remediation of security threats, thereby fortifying the overall security posture. Extended detection and response (XDR) systems can integrate data from multiple security sources and centralize alerts, in theory giving the SOC a holistic overview of its current status.
Integration of the SOC’s various standalone security solutions is certainly the first place to start, though that is easier said than done. Most SOCs evolved around the implementation of discrete solutions as novel threats have emerged. Yet each solution is usually developed by a different vendor, so none of them speak the same language and cannot collaborate. This lack of collaboration is untenable in the current reality where the sea of fast-moving, stealth attackers threatens to overwhelm the dike entirely.
XDR systems do exist that can integrate data from multiple security sources and centralize alerts, giving the SOC a holistic overview of its current status. However, the problem remains that these solutions aggregate data rather than interpret it. In other words, they are neither directional nor able to identify when a stealth multi-vector attack is taking place. They can detect several isolated low-severity events but can lack the intelligence to understand how they may be connected and part of something much bigger.
Collaboration is needed. Security solutions should pull information together from siloed security sources and make fast, intelligence-driven correlations between different security events across different vectors to quickly identify those that need immediate remediation. This is what the next generation of XDR solutions should enable—not just consolidation but full collaboration.
The threat of multi-vector attacks must be addressed and the security silos that allow them to occur remedied. A collaborative approach gets security tools working together to shut the doors left open to hackers by security silos.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
