Risk

9/6/2018
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Why a Healthy Data Diet Is the Secret to Healthy Security

In the same way that food is fuel to our bodies, data is the fuel on which our security programs run. Here are 10 action items to put on your cybersecurity menu.

Most medical professionals would agree that a healthy diet plays an important role in a healthy lifestyle. On some level, it's not difficult to understand why this is the case. Food is the fuel on which our bodies run. Most of us feel pretty good after a meal consisting of fresh fruits and vegetables, lean protein, and whole grains. On the other hand, if most of our meals regularly consist of a few hot dogs and a slice of cake, we likely won't feel very healthy over the long term.

I am certainly not a nutritionist, but I am definitely a firm believer in "everything in moderation." Consequently, there is an important security lesson that nutrition can teach us. In the same way that food is fuel to our bodies, data (for example, various type of information and intelligence) is the fuel upon which our security programs run. A healthy data diet is the secret to a healthy security program.

While many security programs focus on what to do with the data they receive, far fewer spend enough time on the quality of the data they receive. As the saying goes, "garbage in, garbage out." Your organization might have talented people, great leadership, efficient processes, and the latest technology. But if the data feeding day-to-day security operations is of poor quality, it will bring down the entire security organization. A security organization with the potential to be great will be reduced to simply being mediocre or good.

How can security organizations improve their data diets? Here are 10 action items to put on your security menu:

Item 1: Make sure intelligence is actionable.
Whether open source or paid, intelligence sources abound. But if intelligence is not actionable, it can be hard to leverage efficiently on a day-to-day basis. Further, unreliable intelligence can actually do more harm than good by drastically increasing the number of false positives a security team must address.

Item 2: Consider context.
A piece of information without context is just that — information. Intelligence requires context. Context guides us as to how to take a piece of information and apply it within our environment. Without context, the chance that we will pollute our work queue with noise is high. Context helps to ensure that we maintain a healthy intelligence diet.

Item 3: Don't just report on vulnerabilities.
We've all seen vulnerability scans that return a giant list of problems. But what does all of that data actually tell us? If we don't assess the impact of the various vulnerabilities and prioritize accordingly, we won't learn much of anything at all.

Item 4: Tie vulnerabilities to risk.
If you have an idea of the impact of a vulnerability, you can look to tie it to the risks and threats you're looking to mitigate. Making this connection allows an organization to understand how vulnerabilities affect risk. This, in turn, allows for a logical, calculated approach to address vulnerabilities rather than trying to do so qualitatively.

Item 5: Manage your supply chain.
Do your vendors have vulnerabilities and could they introduce risk into your organization? Join the club. But what are you doing about it? Are you working with vendors to assess their security postures, identify and prioritize gaps, create action items to address those gaps, and ensure that the issues are resolved? If not, you're probably generating lots of data on supply-chain risk, but you're not feeding your security program a data diet it can use to improve the situation.

Item 6: Feed the work queue with risk-driven alerts.
Alerts sent to the security team's work queue should be based on risks and threats that the organization is looking to mitigate. That is the only way that an organization can ensure that the queue is filled with alerts relevant to the risk it is looking to mitigate. The downside: Your organization will consume a data diet bloated with irrelevant noise.

Item 7: Shrink the rack.
Once upon a time, organizations required numerous highly specialized data sources to provide them visibility into their threat landscape. Over time, the volume and variety of those data sources increased dramatically in tandem with network bandwidth and network topology complexity. At the same time, advances in technology have allowed for the requisite visibility to be provided by fewer data sources. This is a great way for organizations to ensure that they get maximum value with minimum noise from their data diet.

Item 8: Move up the stack.
Many organizations feed a steady stream of Layer 3 or Layer 4 data to their security teams. But what does this data, with its limited context, really tell us about modern attacks? Unfortunately, not much. Attackers have moved up the stack to Layer 7 of the OSI model. It's time that organizations do the same.

Item 9: Focus on data value.
There is an overwhelming tendency for organizations to focus on the volume of data they collect. For example, you'll hear organizations say things like "we collect 4 billion event logs per day." But what does that tell us about the relevance of the data to incident response? Not a whole lot. Focusing on the value and relevance of data to security operations is a much more reliable way to ensure that we are feeding our security programs the appropriate data diet.

Item 10: Ask better questions.
In security, asking the right question is often more important than getting the right answer. Asking the right question (or questions!) allows us to tailor the queries we run, the intelligence we seek, and the data we collect. 

Related Content:

 

Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
12/3/2018 | 2:35:26 AM
We are what we eat
Well, they do say that we are indeed what we eat. Thus, the same principle does apply to supplying data to our computers. If we do not create an environment whereby breaches could occur, then it pretty much sums up the vulnerability level of our systems. We can somehow control what we accept or input so as to prevent unwanted digital scenarios to take place.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.
CVE-2019-9965
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlReAllocateHeap.
CVE-2019-9966
PUBLISHED: 2019-03-24
XnView Classic 2.48 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to xnview+0x38536c.