How to Tackle the Data Challenge to Improve and Accelerate Detection and Response
I’ve discussed before how Security Operations Centers (SOCs) are now becoming detection and response organizations. But like most transitions, that shift doesn’t happen overnight. Three different areas need to be addressed – data, systems and people.
Many organizations today deal with data that is noisy and unstructured, decentralized without prioritization, and managed with spreadsheets. Their systems are disconnected and disparate, workflows are not orchestrated nor automated, and each system uses its own specific language which makes it difficult, if not impossible, to get them to interoperate. Finally, there’s a significant lack of skilled resources to get things done. And the security professionals they do have can’t keep pace because they’re bogged down by repetitive, manual tasks and operate in siloes. Each of these areas needs to be addressed to improve detection, gain a better understanding of threats, enable teams to collaborate and, ultimately, take the right actions faster.
Here, I’m going to address how to tackle the data challenge to improve and accelerate detection and response.
To gain a comprehensive understanding of the threats you are facing and what you must defend, you need to start by aggregating internal data from across the entire ecosystem – the telemetry, content and data created by each layer in your security architecture, on-premises and in the cloud. In addition to the SIEM, this includes data from modern security tools and technologies, like Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Cloud Detection and Response (CDR). Not only is this data high fidelity, it’s also free!
With the right internal threat and event data aggregated in a platform that serves as a central repository, the next step is to augment and enrich it with external threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Analysts are bombarded by millions of threat datapoints every day, which makes it impossible to fully appreciate or realize the full value of third-party data. Compounding the problem, new research presented at the 29th USENIX Security Symposium found that there is little overlap between these sources. Bringing this data into a central repository helps stop the assault, normalizing it automatically, so that it is in a uniform format for analysis and prioritization.
Additional complexity springs from the need to keep pace with an ever-changing threat landscape. As we saw with COVID-19 and the SolarWinds Orion security breach, crises and outbreaks generate a strong uptick in new, disparate sources of threat information. Many of the sources have no ready-made connectors to allow them to plug into existing security infrastructure. So, another requirement are custom connectors to any type of threat intelligence feed that can be written and deployed within hours. This allows the SOC to ingest threat data from new sources quickly into the same repository.
You now have a central repository combining the right internal data with external data – in effect, a single source of truth. However, due to the volume of data, you also have a great bit of noise. To reduce the noise, data can be prioritized according to what is relevant for your organization, instead of relying on the global risk scores some vendors provide. Changing risk scores based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, allows you to filter out what’s noise for you. Instead of wasting time and resources chasing ghosts, you can focus on what really matters to your organization. This central repository also serves as organizational memory for learning and improvement. As new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized.
SOC modernization doesn’t happen overnight. But starting with the data challenge to create a single source of truth, continuously updated with new data and observations, and curated to ensure relevance, helps you fast-track the process. With the ability to focus monitoring and detection on high-risk threats, you’ll gain real and meaningful benefits quickly, and have a solid foundation for more efficient and effective response.
Learn More at SecurityWeek’s Security Operations Summit (Virtual)

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.
More from Marc Solomon
- Security Pros: Before You Do Anything, Understand Your Threat Landscape
- Using Threat Intelligence to Get Smarter About Ransomware
- Looking for a New Security Technology? Choose a Partner, not a Vendor
- Tackling the Challenge of Actionable Intelligence Through Context
- Advancing Women in Cybersecurity – One CMO’s Journey
- Dealing With the Carcinization of Security
- XDR and the Age-old Problem of Alert Fatigue
- Removing the Barriers to Security Automation Implementation
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
