To Effectively Manage Risk, Security Teams Must have the Ability to Turn Event Data into Actionable Information to Mitigate Rising Threats and Vulnerabilities.
When it comes to securing business critical IT systems, there’s one thing security practitioners certainly don’t lack – data. They have plenty of data flowing in from a multitude of sources such as application logs, server logs, routers, and firewalls. Not to mention, they possess an abundance of security technologies such as intrusion detection systems and vulnerability assessment tools. One could argue there is an overabundance of data – that is, too much data but not enough intelligence.
Think it’s possible? Think again. Modern Security Information and Event Management systems (SIEMs) have done a good job of helping enterprises find the threat-needles in the IT system haystacks. The next evolution is to help those same businesses spot the needles most likely to prick enterprise defenses.
In my previous column, Actionable Insight – Getting the Right Security Data at the Right Time, I covered how important it is to gain a baseline understanding of an environment. As I discussed, that requires identity and security event-related information to be collected from all currently employed architectures – whether they are on-premise, cloud, or virtualized. Also, as I discussed, the identity data is necessary to understand who is accessing what resources, and from where. And, to fully understand an enterprise’s risk posture, identity information isn’t enough. Security managers must be able to see security-related information across firewalls, log management tools, vulnerability scanners, and other applications and systems. In this column I will push the concept a bit further, to show the benefits of using those data to model real-world risk.
For instance, SIEMs excel at catching things after they happen, such as failed login attempts, or correlating events that have already occurred. What they need to do is help security practitioners see risky situations before they unfold. For example, consider when several major software vendors release a bevy of software security updates that total more than 100 individual patches. An organization has several options. It can rush to test and apply all of those patches almost immediately. Or, using its SIEM, it could model its environment with the released patches and associated vulnerable systems. And, when taking into account network segments, firewall settings, web application firewalls, and other controls, something comes to light that will save considerable effort. The enterprise needs to rush only 10 patches to mitigate nearly all of the risk to their infrastructure from the software vulnerabilities. The rest of the updates can be deployed in a few weeks, during normal and planned maintenance.
This is how security practitioners, through such modeling, can reduce risk while managing costs. This is the journey to the next level of security intelligence. Real-time analytics of attacks are one important dimension, but so will be modeling the effects of new threats and changes to the infrastructure. This will help security practitioners move from firefighting to real risk management.