Author: Marco Essomba

Self-defending networks, not a new thing

The concept of a self-defending network is not new. In the early 2000s, leading network and security vendors such as IBM [1] and Cisco [2] used the term to describe a network-as-a-platform. A collection of network and security devices working together as one unit to defend
against cyber-attacks by adapting continuously to stay one step ahead of cyber threats. 10 years ago, the technology and tools required to bring together multiple vendors to create a selfdefending network were very limited. Moreover, the cost of building such a system was prohibitive, and the market

as a whole was not ready. Most security vendors had closed systems with no ability to integrate them with other third-party systems. Self-defending networking was more fiction than reality, since organisations did not have a mature enough network and security ecosystem to implement it. Things have changed. Today, the technology glue to bring different devices in a homogeneous framework is ripe, and the market is ready. The advances in data analytics, Robotic Process Automation (RPA), Machine Learning, Artificial Intelligence, and Application Programming Interfaces (APIs), combine all the ingredients necessary to create self-defending networks.

Marco Essomba s a Certified Application Delivery Networking and Cyber Security Expert with an industry leading reputation.
Follow Marco on:

Self-defending networks: why it matters

Enterprises worldwide face increasing challenges to protect their digital assets against the growing number of cyber-attacks. The global skills shortage in cybersecurity is not making it easier. [3] Cybercrime is growing

rapidly worldwide. The global cost is estimated to reach $6 trillion annually by 2021 [4]. Enterprises are continuously looking for ways to stay one step ahead of cybercriminals by ensuring that their network and security infrastructure can detect and act quickly against active cyber-attacks before any damage is done. Doing this in an efficient and cost-effective manner remains a challenging task for all organisations globally.
There is no lack of technology to defend against cyber-attacks. What is lacking is a fully integrated ecosystem that can ensure that people, processes, and technology are working better together in a synchronised manner to defeat even the most persistent and well-resourced attacker. Of course, technology alone is not the solution to stop cyber-attacks. The glue between people, technology, and processes must be in place. A selfdefending network can help achieve that. The key business objectives of a self-defending network or network-as-a-platform include: 1. ensuring that security practises and policies are aligned to business needs; 2. ensuring that the cost of security operations is manageable; 3. reducing complexity and simplifying the overall network and security infrastructure to maximise effectiveness; and 4. detecting and responding to cyber threats faster. Ultimately the aim is to improve the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTD).

IDS/IPS, vulnerability assessment, patch management, SIEM, policy compliance, routing, and switching are all fully integrated. All these components are combined and tightly integrated using a vendor agnostic approach to provide deep monitoring, management, orchestration and automated response in order to effectively defend
against cyber-attacks. In multi-vendor security infrastructures, the ability to integrate different technologies from different vendors is key. A best of breed approach adopted by many medium and large organisations means that a self-defending network must provide a communication layer between all the systems involved in a highly secure and seamless manner. The ability to manage and integrate several vendors in order to automate and orchestrate processes is also key. A vendor-agnostic approach is required to ensure that an organisations security investment is protected to defend effectively against current and future cyber threats. Depending on the needs of the organisation, over time, vendors and technologies can be swapped as needed, seamlessly, ensuring minimum disruption of the overall security infrastructure

Self-defending networks: what is it?

As a whole, self-defending networks comprise technology, processes and people. From a technology point of view, the ability to manage, monitor, orchestrate, automate and respond to cyber-attacks faster and in a costeffective manner is at the centre. All the components of a self-defending network are brought together using a set of tools and automation processes that provide the glue to all the network and security layers. An effective layered defence approach also referred to as defence-indepth, ensures that all the components are working together as one. Devices providing anti-virus, proxy, firewalling, VPN, endpoint detection,

Self-defending networks: how it works

The core components of a self-defending network can be grouped into 5 key categories: central management, monitoring, automation, orchestration and response. Central management and deep integration: in order to enforce an organisation policy, central management is required to bring all the different components into a unified ecosystem. A single command and control view ensures that policies and processes can be managed from a single pane of glass.

heuristics and machine learning models. The data collected over time across the network provides greater threat intelligence. The more data the better. As the self-defending network matures, it can ‘learn’ faster overtime by selftuning, reducing false positives, maximising its effectiveness and helping reduce the organisation overall cost in security operations. Automation and orchestration: Automation refers to the use of playbooks and rules that provide an abstraction layer required to formulate response plans. Using various tools and technology such as RPA, automation is allowing processes to be systematised. Menial network tasks can be automated freeing valuable time for security teams so that they can focus on critical incidents. Rules are pushed in a consistent manner to devices, enforcing a defence-in-depth approach whereby protection is implemented at several layers in order to defend more effectively against cyber-attacks.

By using APIs and native plugins, devices that are part of the system can be controlled in a consistent manner. A central management engine enforces the organization’s security policy at a global level. Continuous monitoring: monitoring is key in order to ensure visibility across the entire ecosystem. A SIEM solution is used as a central collecting engine for all raw logs and events collected from devices. That data is then sent to an engine for correlation and long-term storage. Using Big Data and security analytics, events correlation can be used to give the overall self-defending network more intelligence. Anomalies can be detected faster. Rules can be pushed to devices in order to respond to cyber-attacks in real-time using known patterns,

Responding faster to attacks: The end result of an effective selfdefending network is the ability to respond faster than current systems can. By leveraging deep integration with devices that are part of the self-defending network, playbooks and rules are used to take specific actions. For example, a ransomware is detected at the endpoint device, not only is that threat neutralised at the end point, but the adjacent network switches can also quarantine the device by blocking the port until a successful remediation is applied. Many other rules can be created and applied at the global level. With all these components working together in a coherent and consistent manner, security teams can reduce operational cost and complexity dramatically. The bottom line is that an organisation can dramatically improve their Mean Time To Detect (MTTD) and Mean Time To Respond (MTTD).

5. Institutional memory within the self-defending network ecosystems means that knowledge transfer is consistent, and the intelligence acquired within the enterprise over time can be safeguarded given the global cybersecurity resourcing challenge

Strengthening your Cyber
Defence using the Power
of Automation

Growing Challenge of Cyber Threats  The challenges facing enterprises today to protect
their digital assets against the deluge of growing cyber threats are well documented.
ENISA Threat Landscape Report 2018 found that “Information theft, loss, or attack is now the prevalent type of crime against organisations, overpowering physical theft, which, until 2017, was the most common type of fraud against corporations for a decade”. [5] And according to the University of Maryland, “Malicious hackers are now attacking computers and networks at a rate of one attack every 39 seconds.” [6] Cyber threats are not limited to enterprises as consumers devices used in the Internet of Things (IoT)
are also under attack. Whilst, the Mozilla Internet Health Report 2018 estimates that the number of Internetconnected devices will double from 2015 to 2020 to reach 30 billion devices worldwide [7] with Kaspersky Lab detecting three times as many malware samples targeting smart devices in the first half of 2018. [8]

Self-defending networks: business benefits The benefits to organisations are tangible. Network and security automation means that security teams can free up valuable time by
automating menial tasks so that they can focus on critical incidents. Playbooks can be created and re-used on demand throughout the enterprise, cutting down online enterprise applications delivery lead times and ensuring that online business applications are delivered in a fast and secure manner in the cloud or on-premises. Key business benefits can be summarised as: 1. A central management of network and security infrastructures that simplifies management of disjoint and different technologies. 2. Automation of menial tasks in order to free up time from security teams given the resourcing challenges facing many organisations worldwide. 3. Consistency in delivering services across the organisations since automation provides a way to re-use rules and playbooks in a predictable and consistent manner. 4. Integration of network and security processes with overall organisations business workflows which brings security operations and development operations together.

5. Institutional memory within the self-defending network ecosystems means that knowledge transfer is consistent, and the intelligence acquired within the enterprise over time can be safeguarded given the global cybersecurity resourcing challenge.

From a technical point of view, there is no lack of
technology to help organisations defend against
the growing cyber threats. What is lacking is a truly
coordinated cyber defence infrastructure where people,
technology, and processes are working together to
provide a consistent and co-ordinated defence-in-depth
approach to protect against even the most advanced
targeted attacks.
This article covers the fundamentals of SOAR
technologies with an emphasis on how the iCyberShield Security Orchestration, Automation and
Response (SOAR) Platform differentiates from existing

The SIEM is Dead. Long Live SOAR.

The scale of the challenge in protecting enterprises
against the increasing complex and targeted cyberattacks is escalating as businesses rely more on computer
networks to conduct their digital operations. Making
sense of the growing number of alerts generated by
various network and security devices in order to detect
and respond to cyber-attacks in a fast and cost-effective
manner before damage is done is what every organisation
aspires to. Security Information and Event Management
(SIEM) technologies provide a way to manage, correlate,
and deliver context from the many alerts generated by
normal and abnormal network activities. However, they
have their limitations.
SOAR [3] promises to complement existing SIEM
solutions by leveraging the power of automation to
add consistency in operational security processes and

huge cost savings and efficiencies in the way security operations teams or
Security Operations Centers (SOC) are managed.

The Future of Defence-In-Depth is SOAR
SOAR is about getting the best out of an organisations existing security
defences by leveraging the power of automation and deep integration with
SIEM technologies. By extending SIEM solutions, SOAR vendors have evolved
to provide the ability to make sense of raw logs and events from Firewalls,
Intrusion Detection Systems, Intrusion Prevention Systems, Endpoint
Detection Systems, and so on. SOAR technologies allow organisations to
organise or group security events, providing a framework and context to
automate security processes and to respond to cyber threats faster.
Ultimately, the end goal is to reduce the number of alerts, significantly
increase efficiencies, and gain huge improvements in Mean Time To
Detect (MTTD) and Mean Time To Respond (MTTR) to cyber threats. From
the business benefits point of view, it means getting the best out of your
existing security investment both from a technology and human resources
standpoint. In some cases, SOAR technologies can increase efficiencies in
security operations by more than 70%.
Although SOAR technologies are relatively new compared to more mature
security solutions such as SIEMs and firewalls technologies, the benefits to
enterprises can be significant. Moreover, SOAR technologies work within
an existing security stack of network and security devices. An organization
must have reached a certain level of maturity in their security operations to
truly benefits from a SOAR solution.
The approach of various SOAR vendors is similar, however, the way they
integrate and leverage existing network and security ecosystems remains
quite different and diverse across the board. At the core, SOAR vendors
focus on enhancing existing SIEM management, creating a uniform and
consistent way to investigate threats, and increasing efficiencies of existing
security operations and teams.

Introducing the iCyber-Shield Platform – From SOAR to SOARX
iCyber-Shield Central Management Platform approach to Security
orchestration, automation and response goes beyond existing SOAR
offerings because of the platform ability to fully manage, monitor, automate,
and orchestrate complex network and security ecosystems from the single
pane of glass. Call it SOARX. The key differentiators include:
1. Open Application Programming Interfaces (APIs): The iCyberShield Platform offers a flexible framework using open APIs that are
extensible, scalable, modular, and wrapped into a unified and intuitive
GUI. The platform can be deployed within an hour in cloud infrastructures
such as Microsoft Azure, Google Cloud Platform, and Amazon Web
Services (AWS). The platform can also be deployed on-premises in Linux,
Windows, and Unix Operating Systems. Using a centralised WebUI,
the platform allows full central management of network and security
devices using push and pull technology, all from a Single Pane of Glass.
Using a vendor agnostic approach, iCyber-Shield provides a simplified
way to manage complex network and security devices in multi-vendors
2. Built-In Logging Engine & SIEM Integration: The iCyber-Shield
Platform does not rely solely on SIEM technologies but can also receive
logs directly from network and security devices in order to provide
data correlation, events reduction, security analytics, threat intelligence,
and automated responses. The platform can also integrate with known
SIEM vendors such as Splunk and Elasticsearch to receive formatted and
unformatted logs for analysis and storage allowing enterprises to maximise
their existing SIEM investment.
3. Security Analytics: Logs can be collected directly from network and
security devices using syslog or raw feeds but can also be pulled directly
from SIEM devices using API Integration. This allows the platforms to parse
logs, add context, correlate events, remove noise so that security teams can
focus on meaningful events.

4. Automated Software Robots: The ability to
provide seamless integration using secure API in a vendor
agnostics approach means that onboarding devices to
the platform is intuitive and does not disrupt existing
ecosystems. The platform is modular which allows
organisations to add or remove modules on demand
in a Pay-As-You-Use model. Tools such as automated
backups and restore, automated configuration migration,
automated vulnerability scan, and automated threat
response can be added as the need of the organisation
change, providing a flexible and smart way to protect
against cyber-attacks. Software robots can automate
menial security tasks to free up time so that security
teams can focus on key security events.
5. Single Pane of Glass: A single command and
control platform that allows you to monitor, fully manage,
automate, and orchestrate your existing network and
security ecosystem. The integration using APIs is not
limited to network and security devices but can also be
extended to support IoT devices.
6. Playbooks and automated rulesets: Rules
provide a way to create automated software robots that
can be adapted for the task at hand and can scale at the
enterprise-wide level to assist the security operations
team as well as CxO level executives with fast decision
making. A Return of Investment (ROI) calculator is
built-in into the platform providing a simple and intuitive
dashboard to show ROI statistics of the existing network
and security infrastructure as the platform actively takes
action to defend the organisation against active cyber

Full Stack Cyber Defence Platform
SOARX Consulting experience acquired from working
closely with leading organisations in banking, finance,
Telecom, gaming, gambling, etc, means that our
expertise in designing and implementing state-of-theart cyber defence systems has given us a unique insight
in the ongoing security challenges facing enterprises.
Our approach to security is to arm organisations with
a defence-in-depth framework that combines people,
technology, and processes, all working together in a
unified manner.
Our iCyber-Shield Central Management Platform
brings together existing and disjointed network and
security ecosystems for better integration in order to
drive huge efficiencies and cost savings within enterprise
security operations.
Our current version of the platform is already helping
our clients in various sectors such as gaming, gambling,
banking/financial services, and manufacturing to drive
down the costs of security operations by more than
70%, and to get the best out of their existing security
From a single pane of glass, our clients can fully
manage, monitor, automate, and orchestrate their
entire network and security ecosystems. Our growing
list of leading network and security vendors include
F5 Networks, Cisco, Palo Alto, Juniper, Splunk, Qualys,
Jira, Kemp, EdgeNexus, Cloudflare, Stella Blockchain,

The iCyber-Shield Platform is helping organisations get the best out of
their existing network and security infrastructure by significantly improving
the Mean Time To Detect (MTTD), and Mean-Time-To-Respond (MTTR) and
given them the confidence to respond faster to security incidents. To learn
more about the iCyber-Shield Central Management Platform or to request a
demo please visit our website or social media site:
[5] and
[8] and; see also

New trends in the world of IoT threats


Other Magazines