Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Actionable Insight – Turning Detection into Prevention

To Effectively Manage Risk, Security Teams Must have the Ability to Turn Event Data into Actionable Information to Mitigate Rising Threats and Vulnerabilities.

To Effectively Manage Risk, Security Teams Must have the Ability to Turn Event Data into Actionable Information to Mitigate Rising Threats and Vulnerabilities.

When it comes to securing business critical IT systems, there’s one thing security practitioners certainly don’t lack – data. They have plenty of data flowing in from a multitude of sources such as application logs, server logs, routers, and firewalls. Not to mention, they possess an abundance of security technologies such as intrusion detection systems and vulnerability assessment tools. One could argue there is an overabundance of data – that is, too much data but not enough intelligence.

Using SIEM Security Data to Mitigate RiskSecurity practitioners need a way to convert event data into information they can act on. Also, as the IT enterprise architecture changes, along with other system variables, the ability to use event information to model changes to the infrastructure risk profile can make the biggest difference in the detection of security anomalies. Considering today’s skilled and persistent adversaries, the ability to discern what vulnerabilities and threats could present the most risk is incredibly important.

Think it’s possible? Think again. Modern Security Information and Event Management systems (SIEMs) have done a good job of helping enterprises find the threat-needles in the IT system haystacks. The next evolution is to help those same businesses spot the needles most likely to prick enterprise defenses.

In my previous column, Actionable Insight – Getting the Right Security Data at the Right Time, I covered how important it is to gain a baseline understanding of an environment. As I discussed, that requires identity and security event-related information to be collected from all currently employed architectures – whether they are on-premise, cloud, or virtualized. Also, as I discussed, the identity data is necessary to understand who is accessing what resources, and from where. And, to fully understand an enterprise’s risk posture, identity information isn’t enough. Security managers must be able to see security-related information across firewalls, log management tools, vulnerability scanners, and other applications and systems. In this column I will push the concept a bit further, to show the benefits of using those data to model real-world risk.

For instance, SIEMs excel at catching things after they happen, such as failed login attempts, or correlating events that have already occurred. What they need to do is help security practitioners see risky situations before they unfold. For example, consider when several major software vendors release a bevy of software security updates that total more than 100 individual patches. An organization has several options. It can rush to test and apply all of those patches almost immediately. Or, using its SIEM, it could model its environment with the released patches and associated vulnerable systems. And, when taking into account network segments, firewall settings, web application firewalls, and other controls, something comes to light that will save considerable effort. The enterprise needs to rush only 10 patches to mitigate nearly all of the risk to their infrastructure from the software vulnerabilities. The rest of the updates can be deployed in a few weeks, during normal and planned maintenance.

This is how security practitioners, through such modeling, can reduce risk while managing costs. This is the journey to the next level of security intelligence. Real-time analytics of attacks are one important dimension, but so will be modeling the effects of new threats and changes to the infrastructure. This will help security practitioners move from firefighting to real risk management.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.