Perspectives on the New Defender Lifecycle Model: A Q&A with Gigamon CTO Shehzad Merchant
In his blog “Moving Toward a Security Immune System,” our CTO Shehzad Merchant spoke of the need for a new security model, predicated on a paradigm shift and acceptance of the fact that data breaches will happen. More and more, organizations are seeing that traditional, prevention-focused security strategies are not enough to defend against the increasing speed, volume and polymorphic nature of today’s cyber threats. Instead, they must embrace a new model – the Defender Lifecycle Model – that shifts control and advantage back to defenders by integrating machine learning, artificial intelligence (AI) and security workflow automation with a foundation of pervasive visibility.
To learn more, we sat down with Shehzad to see what customers and prospects are saying about their current challenges and how this new approach can help.
What top challenges does the Defender Lifecycle Model address?
Over the last few years, we’ve seen an exponential increase in the number of different security tools on the market and increasingly, we’ve heard much talk about machine learning, AI and security orchestration. The problem is that it’s not clear how these all play together to improve a company’s security posture. For example, if you deploy them, are you more secure? Less secure? The same? There isn’t a model against which organizations can measure security success or understand where gaps remain.
Another problem is that a model needs to address real, practical industry challenges that include a massive shortage of skilled personnel, massive growth in the volume of attacks and manual, siloed processes.
To address these problems, the Defender Lifecycle Model offers a framework against which organizations can map out different solutions as well as the ability to tackle the practical challenges via more automated processes.
Have enterprises already started down this route to build out their infrastructure?
They have, but in more of an ad hoc manner – meaning they stumble onto it. Hopefully they will get to the right place, but without a structured approach, the process will likely take longer than it should and there’s the chance they won’t end up in the right place. Key to the Defender Lifecycle Model is providing a more structured approach they can use to get to the desired outcome, quickly and efficiently.
What questions are customers asking? What do they want to learn more about?
There are a few big questions: How can we automate? How do we deal with the API explosion? What is the role of machine learning and AI? And how does Gigamon help with each?
Fundamentally, machine learning addresses the big data challenge of security, which is gathering context from across an entire infrastructure and building a baseline. AI is applying algorithmic techniques on top of that to surface out anomalies. Automation and orchestration is the ability to act on those anomalies.
The GigaSECURE Security Delivery Platform is not only an enabler – of the machine learning, AI, automation and containment layers – but it’s foundational. A foundation upon which enterprise network defenses can be layered and more importantly, efficiently leveraged.
How does this foundation enable automation?
There are multiple aspects as Gigamon plays into the machine learning phase, the automation and containment phase, the initial basic hygiene phase. For example, machine learning is all about big data and providing ways to assimilate large volumes of data and build a baseline. Gigamon provides easy access to content-rich data that allows companies to build that baseline.
In terms of automation, our platform offers an alternative to dealing with the massive API explosion by providing a default API to orchestrate various pieces of solutions. If you want to deploy a basic good hygiene technique like firewalls, we make it easy to do so without having to deal with network maintenance windows or outages.
Have customers started to take this approach?
Customers find themselves in different phases of the cycle. Many are in the first stage of doing the basics of providing firewalls, segmentation and multi-factor authentication. Some have moved beyond and are beginning to build out a baseline, leveraging machine learning techniques, big data and both open source and commercial tools.
Gigamon feeds them very rich content data either directly in the form of network traffic streams or metadata – encrypted or decrypted. I don’t believe many are yet in the automation phase as that is relatively new. However, I expect to see more customers starting to deploy aspects of automation and orchestration in 2018.
Can you talk more about the benefits?
In moving to an automation model, you can begin to address two challenges: First is the challenge of the shortage of skilled personnel. Second is speeding up the defender’s ability to respond in a timely manner to contain and prevent attacks from propagating.
Another big advantage to this type of platform is easy access to data. It’s not that organizations don’t have access to data – they can get data from routers, firewalls, endpoints, domain controllers – the challenge is getting it. Each one of these entities is controlled by a different part of an IT organization and coordinating across these different, siloed departments is a challenge. Many of these approaches also add load on the devices, impacting their performance. So, simply leveraging network traffic becomes a quick shortcut to getting access to content-rich information.
What do you see happening next as this new model matures?
I see two key next steps. One is people embracing the model and moving towards automation and orchestration. It’s very early days, but again, I do expect by 2018 that organizations will be moving in that direction – towards, if you will, a DevOps for security. Two is seeing this roll out in the public cloud.
What excites you about what customers are saying?
The concept and the problems it solves resonate; so perhaps the solution set also resonates.
The most exciting part is that if we are successful in implementing and making this new model operational in customer environments, we have the opportunity to reverse the attacker-defender asymmetry – and make the asymmetry work to the advantage of defenders.
To learn more, please watch Shehzad’s webcast “Next-Generation Cybersecurity: The Defender Lifecycle Model,” check out the GigaSECURE Security Delivery Platform web page and read the new white paper “Disrupt the Machine-to-Human Fight with a New Defender Lifecycle Model in Security Operations.”