There’s no doubt, we’re living in a data and intelligence-driven world when it comes to enterprise security. The volume, velocity, and complexity of information security data that must be processed to detect advanced attacks and, at the same time, support new business initiatives has been growing exponentially. However, data in its raw form is still only a means to an end. This begs the question: How can modern enterprise security programs be adapted to gain actionable insight from all the data they collect?
According to Gartner (see ‘Information Security Is Becoming a Big Data Analytics Problem’, written by Neil MacDonald), 40% of enterprises actively analyze at least 10 terabytes of data for information security intelligence, up from less than 3% in 2011. Traditionally, this data is gathered from the perimeter, meaning the network and endpoints. However, in today’s dynamic threat landscape organizations need to extend their ‘monitoring coverage’ to include applications, databases, mobile devices, the Internet of Things, and emerging technologies such as microservices and containers. That being said, organizations will be forced to process even greater amounts of data.
Unfortunately, a significant portion of information security resources are consumed by data gathering and aggregation processes. This is one of the biggest limitations when it comes to driving down time-to-remediation and predicting threats before they come to fruition. Another challenge involves creating context around security big data, so it can provide actionable insight. To achieve this, data needs to be correlated with its business criticality or risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that in reality pose little or no threat to the business. Furthermore, big security data needs to be filtered to just the information that is relevant to specific stakeholders’ roles and responsibilities. Not everyone has the same needs and objectives when it comes to leveraging big data.
Considering the ongoing skill and expertise shortage, and increasing frequency and sophistication in threat activities, many organizations are rethinking their enterprise security model. Rather than adding more tools, organizations need to implement a new, more efficient approach that is based on continuous cyber risk scoring for improved situational awareness and actionable insights. The objective is to move to full and / or semi-automation of operational activities. At the same time, implementing continuous, pervasive monitoring and analysis across the entire attack surface, not just the network or endpoints, is required for an adaptive and risk-based response to advanced threats.
In this context, intelligence-driven cyber risk management is often seen as a clear path for organizations to operationalize cyber security practices, breaking down silos, and enhancing security operations tasks through automation.
Cyber risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. Fortunately, new technology – cyber risk management – is emerging that helps not only aggregate internal security intelligence and external threat data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is automated, contextualized security metrics that align with business objectives.
Besides leveraging cyber risk management tools, organizations should also consider the following measures to ensure they’re operationalizing security intelligence as effectively as possible:
• Assure ongoing categorization of assets within the organization to establish a benchmark for determining the business impact of threats and prioritization of remediation actions.
• Apply best practices outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework; especially their referenced security controls library.
• Increase the frequency of vulnerability scans and other methods to gather more timely security intelligence, which can assist in the detection of security gaps, control failures, and also verify if remediation actions were effective.
By implementing these measures, while correlating and contextualizing external threat data with internal security intelligence and business criticality, organizations can operationalize their cyber security practices to shorten time-to-detection and ultimately, time-to-remediation of cyber threats.