To improve your cybersecurity posture, focus on the data
Effectively converging, managing and using enterprise data is a huge undertaking. Enterprises have vast hoards of data, but those hoards exist within siloed systems and applications, and it requires a lot of manual effort by highly skilled data scientists, engineers and analysts to extract value from all that data.
Data preparation is a rudimentary and necessary task, but it prevents engineers from focusing their time on the high-value tasks like identifying security gaps or storytelling that will improve the organization’s cybersecurity posture.
Bringing all your security data together in a consolidated fashion is key, but it’s easier said than done. An enterprise security data fabric platform can help, but to be successful, you need to understand what data to gather and where to get it from.
This first step – identifying the data sources and ensuring the right information can be brought in – needs to be taken before an organization can progress in its security data maturity journey.
Looking for data in all the right places
A security data fabric approach helps with transforming raw data into analysis-ready datasets, streamlining data analysis workflows, enabling data quality and integrity, and ultimately facilitating a stronger security posture. Security professionals and teams can create an initiative to implement a security data fabric.
This initiative requires that you:
- Understand that it needs the right data feeds
- Evaluate your data state
- Identify data sources across the business
- Understand how you can collect these datasets
- Understand how to combine, normalize and transform this data for greater business context and insights
- Build reporting on this layer and share with stakeholders
One of the biggest struggles that security teams have is identifying which data sources are needed for full visibility into their security posture and how these sources can support various efforts, such as continuous controls monitoring or automated threat hunting. Part of this struggle is understanding the disparate data formats you’re dealing with, and how you can combine, normalize and enrich all the data to bring it into a cohesive state. This process enables quick insights for specific use cases.
So, how do you know which data you need? It depends on your use case. Identifying the end metrics will help drive which data sets are needed. Are you trying to collect the data you need for threat hunting? For a compliance audit? For asset discovery and clean up? Each use case might require a different type of data for insights; some might require endpoint detection and response (EDR) logs, while others require network data and traffic, or user and device information to get the full picture of what’s happening at any given time.
Data silos complicate matters. They exist on multiple levels: between tools in the same tech stack (e.g., each tool in an organization’s security center produces unique data) and between organizations that should be sharing data for deeper insights in the context of the business.
In some organizations, one team owns all enterprise data and manages the repository that it lives in, but that’s not always the case. In some, the security team must go to another department or team to get the data they need. And they’ll likely have to convince the other team that it’s important and necessary for them to have access to it – and that it will be used in a safe and proper manner.
Breaking down silos
How you approach breaking down the silos is often dependent on your organization; for some, a top-down approach works while for others, a bottom-up approach makes more sense. This all depends on how quickly you can get buy-in and who and what sets your organization’s initiatives.
No matter what approach you’re taking, you – as the person or team in charge of the security data fabric initiative – need to reassure the other data owners that what you’re doing with the data won’t have any negative impact on whatever initiative they’re working on. In fact, you can give them comfort that the improvements in security and compliance that will come from having access to these other datasets can help turn security into a true business enabler.
Many people have concerns about their jobs and the sanctity of the data they oversee; help them understand what you will be doing with their data. Be clear that by giving you access to their data, it won’t hurt their job status. If anything, it can help their job; they’ll be free to focus on more high-value tasks that will allow the business to advance its security journey.
In some organizations, it might be the CISO’s role to set the objectives and how the business will transform, leading them to approach the various data owners and leadership groups to make the case (top-down). In other organizations, it may be the product owner or engineer (bottom-up) who works to bring these sources, one by one, into the central platform.
Once you’ve located the needed data sources and who’s in charge of them, and gotten their buy-in, the next step is figuring out how to get the data into your security data fabric platform. It’s also important to understand the data owners’ viewpoint and what their teams can support on a consistent basis. Once data sharing begins, it’s not a one-and-done action – it’s an ongoing process.
Ensure transparency to build trust. Keeping the data silos you’ve broken down from becoming re-established requires you to provide trust and transparency into what you and your team are doing with the data.
Finally, don’t try to boil the ocean. When you’re first starting the journey to identify the data sources you need and work with data owner to access these data sources, it’s important to start incrementally. You can’t progress in your security data maturity journey without getting the foundational component of data quality and completeness addressed correctly.
Toward security data maturity
Organizations collect and manage vast amounts of data, but most still aren’t getting the maximum value out of that data. And when it comes to cybersecurity, that means you’re not using your data as effectively as possible to improve your cybersecurity posture. It also means – and this is a subject for a whole ‘nother deep dive – that your AI modeling and outputs are not performing as they should. Combined, clean and complete data is the key to success in both these areas.