Ecosystem Engineering in Cybersecurity, Pt. 3
In our next installment in the series, let’s take a deep dive into the second building block: Visibility
This is one of my favorite subjects to riff on. Visibility is a term with a fair amount of ambiguity associated with it, and like most things of that nature, it is left open to interpretation, and for good reason. Sure, there’s logging and there’s monitoring, but what do you log? What do you monitor? What do you do with the data? Well, luckily we’ve gone through the concept of Target Identification, which should help us narrow down the potentially boundless scale of data collection, but then what?
Once again, let us borrow from the natural world around us for a moment. This time, chemistry helps us demystify the path forward.
(According to Wikipedia) Chemistry is the scientific discipline involved with elements and compounds composed of atoms, molecules and ions: their composition, structure, properties, behavior and the changes they undergo during a reaction with other substances.
There’s a lot to learn from that simple definition as it relates to the operation of a technology ecosystem. Each of us with the responsibility to manage data and make sense of it are chemists! Think about it. We collect elements (raw system logs, hosts status, network logs, detection events, etc) and now we must understand the relationships between those elements (reference architecture, behavioral analytics, etc) and look to correlate to create compounds (patterns, security analytics, metadata, etc). Perhaps it’s more like alchemy :)
The combination of reference architecture, behaviors, patterns and analytics, relevant to our high value targets, gives us a crystal ball of sorts if done well, perhaps giving us the ability to see IoCs before an actual threat manifests, as an example. This is achieved through creating a visibility fabric that gives us a unified view of our ecosystem, and gives us the power to create the metadata that we use to tell a story about whats happening in our environment. At a high level, that fabric consists of things like a unified logging pipeline, scalable storage, aggregation and automation, UX, ETL tools and methods, learning models and science!, as well as badass engineers and analysts to build and run it all. Many moving parts coming together as one beautiful machine.
For this to work, it requires unification and integration. A cobbled together amalgam of black box solutions with different architectures, implementations, UIs, languages, busted APIs, archaic signatures, horrible maintenance and 7 digit price tags does nothing to help one understand what data matters, where to find it and how to make it tell you a story. Only a good understanding of the things that are important in your environment, paired with a big picture view of how it all exists as an ecosystem will unlock the power of omniscience.
It’s a lot, I know, and everyone’s situation is different in terms of scale and available resources. And this is why our next building block is so important in terms of efficiency and bang-for-buck. Stay tuned for part four in this series where we’ll talk about Alignment and delve into a bit of management philosophy, team building and understanding people and how they work within their respective ecosystems, maybe sprinkled with a bit of product management goodness.
I’m writing these articles as a way to encourage people to think out loud about the topics, so please, keep the comments coming, ask questions and rock on! Thanks for reading!
