Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/6/2018
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Why a Healthy Data Diet Is the Secret to Healthy Security

In the same way that food is fuel to our bodies, data is the fuel on which our security programs run. Here are 10 action items to put on your cybersecurity menu.

Most medical professionals would agree that a healthy diet plays an important role in a healthy lifestyle. On some level, it's not difficult to understand why this is the case. Food is the fuel on which our bodies run. Most of us feel pretty good after a meal consisting of fresh fruits and vegetables, lean protein, and whole grains. On the other hand, if most of our meals regularly consist of a few hot dogs and a slice of cake, we likely won't feel very healthy over the long term.

I am certainly not a nutritionist, but I am definitely a firm believer in "everything in moderation." Consequently, there is an important security lesson that nutrition can teach us. In the same way that food is fuel to our bodies, data (for example, various type of information and intelligence) is the fuel upon which our security programs run. A healthy data diet is the secret to a healthy security program.

While many security programs focus on what to do with the data they receive, far fewer spend enough time on the quality of the data they receive. As the saying goes, "garbage in, garbage out." Your organization might have talented people, great leadership, efficient processes, and the latest technology. But if the data feeding day-to-day security operations is of poor quality, it will bring down the entire security organization. A security organization with the potential to be great will be reduced to simply being mediocre or good.

How can security organizations improve their data diets? Here are 10 action items to put on your security menu:

Item 1: Make sure intelligence is actionable.
Whether open source or paid, intelligence sources abound. But if intelligence is not actionable, it can be hard to leverage efficiently on a day-to-day basis. Further, unreliable intelligence can actually do more harm than good by drastically increasing the number of false positives a security team must address.

Item 2: Consider context.
A piece of information without context is just that — information. Intelligence requires context. Context guides us as to how to take a piece of information and apply it within our environment. Without context, the chance that we will pollute our work queue with noise is high. Context helps to ensure that we maintain a healthy intelligence diet.

Item 3: Don't just report on vulnerabilities.
We've all seen vulnerability scans that return a giant list of problems. But what does all of that data actually tell us? If we don't assess the impact of the various vulnerabilities and prioritize accordingly, we won't learn much of anything at all.

Item 4: Tie vulnerabilities to risk.
If you have an idea of the impact of a vulnerability, you can look to tie it to the risks and threats you're looking to mitigate. Making this connection allows an organization to understand how vulnerabilities affect risk. This, in turn, allows for a logical, calculated approach to address vulnerabilities rather than trying to do so qualitatively.

Item 5: Manage your supply chain.
Do your vendors have vulnerabilities and could they introduce risk into your organization? Join the club. But what are you doing about it? Are you working with vendors to assess their security postures, identify and prioritize gaps, create action items to address those gaps, and ensure that the issues are resolved? If not, you're probably generating lots of data on supply-chain risk, but you're not feeding your security program a data diet it can use to improve the situation.

Item 6: Feed the work queue with risk-driven alerts.
Alerts sent to the security team's work queue should be based on risks and threats that the organization is looking to mitigate. That is the only way that an organization can ensure that the queue is filled with alerts relevant to the risk it is looking to mitigate. The downside: Your organization will consume a data diet bloated with irrelevant noise.

Item 7: Shrink the rack.
Once upon a time, organizations required numerous highly specialized data sources to provide them visibility into their threat landscape. Over time, the volume and variety of those data sources increased dramatically in tandem with network bandwidth and network topology complexity. At the same time, advances in technology have allowed for the requisite visibility to be provided by fewer data sources. This is a great way for organizations to ensure that they get maximum value with minimum noise from their data diet.

Item 8: Move up the stack.
Many organizations feed a steady stream of Layer 3 or Layer 4 data to their security teams. But what does this data, with its limited context, really tell us about modern attacks? Unfortunately, not much. Attackers have moved up the stack to Layer 7 of the OSI model. It's time that organizations do the same.

Item 9: Focus on data value.
There is an overwhelming tendency for organizations to focus on the volume of data they collect. For example, you'll hear organizations say things like "we collect 4 billion event logs per day." But what does that tell us about the relevance of the data to incident response? Not a whole lot. Focusing on the value and relevance of data to security operations is a much more reliable way to ensure that we are feeding our security programs the appropriate data diet.

Item 10: Ask better questions.
In security, asking the right question is often more important than getting the right answer. Asking the right question (or questions!) allows us to tailor the queries we run, the intelligence we seek, and the data we collect. 

Related Content:

 

Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MRodrigues98
50%
50%
MRodrigues98,
User Rank: Apprentice
7/19/2019 | 2:12:13 AM
great article

you're absolutely right, we are what we eat, I will follow your tips, thanks for posting this on this site

https://guiadietasimples.com/
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
12/3/2018 | 2:35:26 AM
We are what we eat
Well, they do say that we are indeed what we eat. Thus, the same principle does apply to supplying data to our computers. If we do not create an environment whereby breaches could occur, then it pretty much sums up the vulnerability level of our systems. We can somehow control what we accept or input so as to prevent unwanted digital scenarios to take place.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-5285
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
CVE-2009-5047
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
CVE-2013-4584
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
CVE-2013-7087
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
CVE-2013-7088
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component