Why a Healthy Data Diet Is the Secret to Healthy Security In the same way that food is fuel to our bodies, data is the fuel on which our security programs run. Here are 10 action items to put on your cybersecurity menu.
Most medical professionals would agree that a healthy diet plays an important role in a healthy lifestyle. On some level, it's not difficult to understand why this is the case. Food is the fuel on which our bodies run. Most of us feel pretty good after a meal consisting of fresh fruits and vegetables, lean protein, and whole grains. On the other hand, if most of our meals regularly consist of a few hot dogs and a slice of cake, we likely won't feel very healthy over the long term.
I am certainly not a nutritionist, but I am definitely a firm believer in "everything in moderation." Consequently, there is an important security lesson that nutrition can teach us. In the same way that food is fuel to our bodies, data (for example, various type of information and intelligence) is the fuel upon which our security programs run. A healthy data diet is the secret to a healthy security program.
While many security programs focus on what to do with the data they receive, far fewer spend enough time on the quality of the data they receive. As the saying goes, "garbage in, garbage out." Your organization might have talented people, great leadership, efficient processes, and the latest technology. But if the data feeding day-to-day security operations is of poor quality, it will bring down the entire security organization. A security organization with the potential to be great will be reduced to simply being mediocre or good.
How can security organizations improve their data diets? Here are 10 action items to put on your security menu:
Item 1: Make sure intelligence is actionable.
Whether open source or paid, intelligence sources abound. But if intelligence is not actionable, it can be hard to leverage efficiently on a day-to-day basis. Further, unreliable intelligence can actually do more harm than good by drastically increasing the number of false positives a security team must address.
Item 2: Consider context.
A piece of information without context is just that — information. Intelligence requires context. Context guides us as to how to take a piece of information and apply it within our environment. Without context, the chance that we will pollute our work queue with noise is high. Context helps to ensure that we maintain a healthy intelligence diet.
Item 3: Don't just report on vulnerabilities.
We've all seen vulnerability scans that return a giant list of problems. But what does all of that data actually tell us? If we don't assess the impact of the various vulnerabilities and prioritize accordingly, we won't learn much of anything at all.
Item 4: Tie vulnerabilities to risk.
If you have an idea of the impact of a vulnerability, you can look to tie it to the risks and threats you're looking to mitigate. Making this connection allows an organization to understand how vulnerabilities affect risk. This, in turn, allows for a logical, calculated approach to address vulnerabilities rather than trying to do so qualitatively.
Item 5: Manage your supply chain.
Do your vendors have vulnerabilities and could they introduce risk into your organization? Join the club. But what are you doing about it? Are you working with vendors to assess their security postures, identify and prioritize gaps, create action items to address those gaps, and ensure that the issues are resolved? If not, you're probably generating lots of data on supply-chain risk, but you're not feeding your security program a data diet it can use to improve the situation.
Item 6: Feed the work queue with risk-driven alerts.
Alerts sent to the security team's work queue should be based on risks and threats that the organization is looking to mitigate. That is the only way that an organization can ensure that the queue is filled with alerts relevant to the risk it is looking to mitigate. The downside: Your organization will consume a data diet bloated with irrelevant noise.
Item 7: Shrink the rack.
Once upon a time, organizations required numerous highly specialized data sources to provide them visibility into their threat landscape. Over time, the volume and variety of those data sources increased dramatically in tandem with network bandwidth and network topology complexity. At the same time, advances in technology have allowed for the requisite visibility to be provided by fewer data sources. This is a great way for organizations to ensure that they get maximum value with minimum noise from their data diet.
Item 8: Move up the stack.
Many organizations feed a steady stream of Layer 3 or Layer 4 data to their security teams. But what does this data, with its limited context, really tell us about modern attacks? Unfortunately, not much. Attackers have moved up the stack to Layer 7 of the OSI model. It's time that organizations do the same.
Item 9: Focus on data value.
There is an overwhelming tendency for organizations to focus on the volume of data they collect. For example, you'll hear organizations say things like "we collect 4 billion event logs per day." But what does that tell us about the relevance of the data to incident response? Not a whole lot. Focusing on the value and relevance of data to security operations is a much more reliable way to ensure that we are feeding our security programs the appropriate data diet.
Item 10: Ask better questions.
In security, asking the right question is often more important than getting the right answer. Asking the right question (or questions!) allows us to tailor the queries we run, the intelligence we seek, and the data we collect.
Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio