Your Security Data Strategy Sucks Because You Don’t Have One
“What is your data strategy?” This isn’t a question often asked of security leaders, but it should be. Over the past decade we’ve seen a huge rise in the amount of data our security operations centers (SOC) have available to consume as a byproduct of the increasing number of assets we’re required to protect and new security technologies such as endpoint detection and response (EDR) introducing their own log streams.
The symptoms of our inability to manage and obtain critical insights from this vast amount of data are visible across the industry. One need look no farther than the common themes of not enough available workforce and near ubiquitous use of managed services to understand we need to do things differently. But the reality of our situation is that even if you had access to an amazing untapped talent pool, we humans are not a sustainable solution. Hiring more and more people is a linear approach to an exponential growth problem. This is a data problem. But as we know in business, any problem is an opportunity.
We’re living in a world where data is a commodity to be mined for insights, much as how precious minerals have been extracted from the Earth for thousands of years. There’s even a term used to describe the mining of aggregated data from multiple sources for business outcomes — the data economy. It’s time to have an honest conversation about how your security organization is managing its data.
Your Business is Data Driven, Why Aren’t You?
Stories of how businesses have found success in the data economy abound. My favorite example is from Walmart. Using data/analytics, Walmart was able to determine that a couple stores hadn’t put Halloween themed cookies on shelves. We’re often trained to think about how analytics can be used to drive customer behavior through better targeted marketing efforts. What I find exciting about this particular case is that customer behavior was the indicator of the problem. Walmart tapped into stocking data to find and triage a problem. That is what is thrilling about the data economy, with the right data, even something as mundane as stocking data, with some creativity an entity as vast as Walmart could pinpoint the few stores that were behind on… cookie sales.
Extending this metaphor to the security space should encourage security leaders to consider the value of non-traditional data sources, while approaching their data set as a whole to become more timely in their approach to security operations. Just like walmart used data to avoid having stock rooms full of Halloween cookies in November, security leaders can use can tap into their data sets to lower risk for their organizations, find weaknesses before they become problems, or even see where they are over invested in security and would be better off applying budget to another area of responsibility.
Failure to Adapt Is More Costly Than You Think
Purchasing security products is generally a three-year commitment. If you reasonably expect your business leaders to continue growing the business during this time, you’ll be responsible for protecting more assets and processing more data than you are today. As obvious as this may sound, it means if you keep doing what you’ve been doing, your life will become appreciably worse as your business improves. Nobody wants a sad clown at a birthday party.
Most security organizations don’t have the resources to build petabyte scale data centers dedicated to security and infrastructure operations. This leaves the security industry at the mercy of security vendors to provide the technology to bring us into the data economy. Unfortunately, most security solutions are monolithic point solutions, collecting and alerting from one data source, and technologies such as SIEM and SOAR tend to be primarily focused on managing alerts from these monolithic, point security products. Let’s talk about how to navigate this situation…
What Does Good Look Like?
Enabling your security team to make proactive improvements to your security posture leads to a reduction in alerts, and in turn, reduces the heightened stress of constantly being in alert mode which has repeatedly been shown to lead to employee burnout and retention issues. Because we’re focusing on building this capability using vendor solutions, there are three critical questions you must ask as you’re considering investing in any new security product:
- Are you collecting enough, and the right data?
- Does the data model support a modern analytics approach?
- What domain expertise exists for training and working with the data?
Are you collecting enough, and the right data?
Just in the last decade EDR vendors challenged thinking about legacy log sources and started building endpoint agents to collect novel data on the operations of these endpoints. Part of this shift could be to start investing in security products that expose telemetry data instead of just sending alerts to your data platform to support your data strategy. What other data from or about your environment could you be ingesting to support outcomes similar to the Walmart cookies situation?
Does the data model support a modern analytics approach?
Being able to store and query data at scale is the low bar that many SIEM vendors have been providing since before the iPhone. Machine learning is part of our lives now, commoditized to the point that even I frequently leverage these data analysis capabilities when working on my own projects. I certainly couldn’t explain to you the difference between a neural network and a random forest, but having the ability to analyze data at scale is a quality of life issue. When investing in a SIEM or extended detection and response (XDR) product, take the time to understand what specific outcomes their data model was designed to support in terms of automated analysis.
What domain expertise exists for training and working with the data?
Look, you can have access to all the data in the world, it may even be well formatted to support superior analysis, but without both domain expertise and a sufficient data set for training your models, the outcome will be noisy and unreliable. This will undoubtedly lead to the next general trend in security technologies to be stitching alerts together into storylines, a reactionary approach that once again has more to do with alert management than helping your teams maximize the value of your heterogeneous data set. It may be difficult to differentiate between these types of solutions, but if a vendor tells you they feel disadvantaged by some comparison because they don’t have particular security expertise, they are telling you something important about themselves.
It’s Time For Security Teams To Join The Data Economy
With the right data strategy, you have the opportunity to improve your organization’s security posture and the quality of your employees’ lives, while doing nothing new is a sound strategy if you’re not planning on managing the environment a few years from now. This isn’t necessarily a panacea though, as doing something in between can potentially increase ingest costs without providing the benefits you’re aiming for. Hopefully this blog provided a valuable perspective on what we need to be doing differently, while providing the mindset necessary for solving this problem successfully in your own environments.
“Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” – Ferris Bueller
