Security Tools and Threat Feeds Are Creating New Types and Formats of Data to be Collected in Massive Volumes
Who could have imagined a few months ago that the term “data model” would have entered our daily lexicon? But it has, as experts try to understand the trajectory and behavior of COVID-19 and share their analysis with the general public. Every researcher seems to have their own approach with a recent article outlining the myriad types of data to consider as we seek to understand how to move forward during and after the pandemic.
I’ve written before about the parallels between medicine and cybersecurity and here is another example. As security professionals, we never know what life is going to throw at us, but we do know we need the right data to make better decisions and take the right actions, faster. We also understand the challenges behind this seemingly simple premise.
Mark Harris from Gartner has given great commentary on the evolution of adversary approaches to achieving their goal. He reminds us of how adversaries used to focus on infecting files. As defenders, we spent our time tracking files and hashes and relying on signatures to block these early threats. As the bad guys became more sophisticated, they started infecting systems. So, we expanded our arsenal of tools and layers of defenses to track additional indicators to protect against the latest threats. Now adversaries are infecting organizations, and our strategies must evolve again to address the ever-expanding list of systems, processes and data we must protect.
As quickly as business models change, adversaries take advantage of new attack vectors – like IoT devices, operational technology and the multiple personal and work devices users now move between. They also leverage human vulnerabilities, impersonating trusted colleagues and third parties to infiltrate organizations. Layering more products and technologies and subscribing to additional, external threat feeds to defend the growing attack surface is generating new types and formats of data to be collected, and in massive volumes. The result is a massive, evolving data management challenge.
How can you keep pace with dynamic threats and deal with data overload? You need a way to scale up to the volume of data and scale out to incorporate more types of data, so you can focus on what is relevant and take the right action, faster.
An extensible platform and flexible data model allow you to scale up and out. You can aggregate your data in one manageable location and automatically translate it into a uniform format for analysis. This includes events and associated indicators from inside your environment, for example from your SIEM system, log management repository, case management system and security infrastructure. You can augment and enrich this data automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as integrating quickly and fully with new frameworks that emerge, like MITRE ATT&CK. By correlating events and associated indicators from inside the environment with external data on indicators, adversaries and their methods, you gain context to understand the who, what, where, when, why and how of an attack.
With an understanding of relevance to your organization, you can begin to prioritize where to focus first to take action. An extensible platform provides the flexibility to support different use cases, for example spear phishing, threat hunting, fraud detection, vulnerability management and incident response. By integrating with different tools, it allows you to leverage your existing security technologies more efficiently and effectively. What’s more, with the knowledge that you’re starting with the right data, you have greater confidence in your actions.
With an extensible platform and flexible data model, you can take full advantage of the volume and variety of data to gain insights, and the technologies in your ecosystem to accelerate detection and response and mitigate risk. You may not have certainty about the future, but you can be certain in your ability to adapt your capabilities to understand and address whatever life throws your way.