Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/6/2018
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Why a Healthy Data Diet Is the Secret to Healthy Security

In the same way that food is fuel to our bodies, data is the fuel on which our security programs run. Here are 10 action items to put on your cybersecurity menu.

Most medical professionals would agree that a healthy diet plays an important role in a healthy lifestyle. On some level, it's not difficult to understand why this is the case. Food is the fuel on which our bodies run. Most of us feel pretty good after a meal consisting of fresh fruits and vegetables, lean protein, and whole grains. On the other hand, if most of our meals regularly consist of a few hot dogs and a slice of cake, we likely won't feel very healthy over the long term.

I am certainly not a nutritionist, but I am definitely a firm believer in "everything in moderation." Consequently, there is an important security lesson that nutrition can teach us. In the same way that food is fuel to our bodies, data (for example, various type of information and intelligence) is the fuel upon which our security programs run. A healthy data diet is the secret to a healthy security program.

While many security programs focus on what to do with the data they receive, far fewer spend enough time on the quality of the data they receive. As the saying goes, "garbage in, garbage out." Your organization might have talented people, great leadership, efficient processes, and the latest technology. But if the data feeding day-to-day security operations is of poor quality, it will bring down the entire security organization. A security organization with the potential to be great will be reduced to simply being mediocre or good.

How can security organizations improve their data diets? Here are 10 action items to put on your security menu:

Item 1: Make sure intelligence is actionable.
Whether open source or paid, intelligence sources abound. But if intelligence is not actionable, it can be hard to leverage efficiently on a day-to-day basis. Further, unreliable intelligence can actually do more harm than good by drastically increasing the number of false positives a security team must address.

Item 2: Consider context.
A piece of information without context is just that — information. Intelligence requires context. Context guides us as to how to take a piece of information and apply it within our environment. Without context, the chance that we will pollute our work queue with noise is high. Context helps to ensure that we maintain a healthy intelligence diet.

Item 3: Don't just report on vulnerabilities.
We've all seen vulnerability scans that return a giant list of problems. But what does all of that data actually tell us? If we don't assess the impact of the various vulnerabilities and prioritize accordingly, we won't learn much of anything at all.

Item 4: Tie vulnerabilities to risk.
If you have an idea of the impact of a vulnerability, you can look to tie it to the risks and threats you're looking to mitigate. Making this connection allows an organization to understand how vulnerabilities affect risk. This, in turn, allows for a logical, calculated approach to address vulnerabilities rather than trying to do so qualitatively.

Item 5: Manage your supply chain.
Do your vendors have vulnerabilities and could they introduce risk into your organization? Join the club. But what are you doing about it? Are you working with vendors to assess their security postures, identify and prioritize gaps, create action items to address those gaps, and ensure that the issues are resolved? If not, you're probably generating lots of data on supply-chain risk, but you're not feeding your security program a data diet it can use to improve the situation.

Item 6: Feed the work queue with risk-driven alerts.
Alerts sent to the security team's work queue should be based on risks and threats that the organization is looking to mitigate. That is the only way that an organization can ensure that the queue is filled with alerts relevant to the risk it is looking to mitigate. The downside: Your organization will consume a data diet bloated with irrelevant noise.

Item 7: Shrink the rack.
Once upon a time, organizations required numerous highly specialized data sources to provide them visibility into their threat landscape. Over time, the volume and variety of those data sources increased dramatically in tandem with network bandwidth and network topology complexity. At the same time, advances in technology have allowed for the requisite visibility to be provided by fewer data sources. This is a great way for organizations to ensure that they get maximum value with minimum noise from their data diet.

Item 8: Move up the stack.
Many organizations feed a steady stream of Layer 3 or Layer 4 data to their security teams. But what does this data, with its limited context, really tell us about modern attacks? Unfortunately, not much. Attackers have moved up the stack to Layer 7 of the OSI model. It's time that organizations do the same.

Item 9: Focus on data value.
There is an overwhelming tendency for organizations to focus on the volume of data they collect. For example, you'll hear organizations say things like "we collect 4 billion event logs per day." But what does that tell us about the relevance of the data to incident response? Not a whole lot. Focusing on the value and relevance of data to security operations is a much more reliable way to ensure that we are feeding our security programs the appropriate data diet.

Item 10: Ask better questions.
In security, asking the right question is often more important than getting the right answer. Asking the right question (or questions!) allows us to tailor the queries we run, the intelligence we seek, and the data we collect. 

Related Content:

 

Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MRodrigues98
50%
50%
MRodrigues98,
User Rank: Apprentice
7/19/2019 | 2:12:13 AM
great article

you're absolutely right, we are what we eat, I will follow your tips, thanks for posting this on this site

https://guiadietasimples.com/
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
12/3/2018 | 2:35:26 AM
We are what we eat
Well, they do say that we are indeed what we eat. Thus, the same principle does apply to supplying data to our computers. If we do not create an environment whereby breaches could occur, then it pretty much sums up the vulnerability level of our systems. We can somehow control what we accept or input so as to prevent unwanted digital scenarios to take place.
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...