Light Dark
April 14, 2017 By Jack Danahy 4 min read
Data Protection
Intelligence & Analytics
Risk Management

How much information do you need to manage your security? Until recently, the answer was always “more.” That is changing as the sheer volume of available data grows.

Today, corporate networks and machines are significantly faster and more powerful than they were 10 years ago. Combine this advancement with threat intelligence feeds, which include logs from new applications and streams from hosted services, and you have a surge in security data. This dramatic increase of data has gradually become a hindrance to organizations.

There is also a conflict between two different objectives for the information being gathered. First, timely incident response and reduced dwell time call for the acquisition of a limited amount of data to identify and stop attacks as quickly as possible. Second, system recovery and forensic examinations consider as much data as possible once the attack is over. The security industry has taken a one-size-fits-all approach, miring teams in unnecessary data and forcing them to look for real-time indicators when they should be looking for root causes.

Don’t Drown in Security Data

A recent survey by Enterprise Security Group (ESG) highlighted the increased volume of this information as a problem for the majority of participants. The skyrocketing number of devices and amount of network traffic is actually making the job of securing the organization more difficult. In fact, this growth poses an even greater risk than the increasing sophistication of the attacks themselves.

Cognitive security improves the ability of analysts to make sense of data in context, but the sheer volume of events can be overwhelming. It is time to re-evaluate the information gathered and stored by this process. To counter the negative effects of the irreversible growth in the volume and complexity of these inputs, we must approach security data differently.

Transient Versus Long-Lived Data

Not all security monitoring events are created equal when viewed through the lens of their usefulness and half-life. Take an infected endpoint, for example. For the purpose of rapidly identifying and interdicting an attack, a limited set of indicators of compromise (IoC) is likely sufficient to recognize that a machine has been corrupted and raise the alarm. For the purpose of reconstructing the event and hopefully restoring the victim’s machine, all the discrete actions within that attack need to be recorded and played back.

In the first case, a minimal set of information is gathered to identify an attack in progress, since the priority is arresting the attack in flight. Too much data would slow the process and increase the likelihood of spreading the infection. The second case, which prioritizes recovery and shortened downtime, requires a much more detailed set. The simpler set of IoCs would be insufficient to reconstruct the event or the system.

Both sets of data are optimized for their respective purposes and are not interchangeable. As a result, there must be different policies and even platforms for gathering the requisite information to support business needs.

Is the Data Useful?

As the sources of security monitoring information grow, it’s important to conduct periodic reassessments and pruning to eliminate what is redundant and prioritize what is required. If network-based detection of data exfiltration is approaching zero due to the installation of strong host-based data loss prevention (DLP), for example, network-based information gathering can be relaxed. If host-based intrusion detection is no longer catching infections because of stronger gateway filtering and endpoint management, analysts should deprioritize intrusion detection system (IDS) data accordingly.

The pruning also addresses a real risk in the creation and storage of all this data. Once the systems are created, the organization is responsible for reviewing and addressing data. During one major breach in 2014, a strong security team with a sizable investment and considerable experience received public criticism for not responding to security messages that were generated in the early stages of the attack.

Gathering as much data as possible creates a mass of information. This may be useful for root cause or forensic examination, but it also decreases the likelihood of observing an event as it occurs.

Assessing Business Need

Depending on the role an organization plays in the business, the relative priority of detection and recovery differs. When this happens, information gathering characteristics should change as well. An internal-facing organization with no customer information or external contact will not have the same public compliance and notification concerns as a customer support organization that handles partner records or personally identifiable information (PII). When an organization is held to a regulatory or contracted standard, the relative values of detection and recovery are not the same.

Organizations will also be concerned with different types of threats. Some will be more worried about long-running advanced persistent threats (APTs), data leakage and credential theft, while others are vulnerable to urgent, immediate attacks such as ransomware and distributed denial-of-service (DDoS). For the former, detailed recovery information or detection over a long period and across multiple machines is more valued than the immediate identification of a seriously impacted network or the isolation of a disabled and compromised host. The latter requires rapid identification and even real-time data.

Step Up to the Challenge

This appetite for security event data has been created and whetted by a universal understanding that security will never be 100 percent effective. Unfortunately, this has led to a decreased urgency to inch closer to total security in spite of this growing complexity in detection and response.

Even the mere threat of attack can lead to a singular focus on a strong monitoring and response infrastructure and an overall sense that recovery is possible. It underestimates the irreparable damage some attacks cause and creates an imbalance. Decreasing dwell time is very important, but it should be secondary to decreasing the likelihood that target systems will be breached.

Security analysts must step up to the challenge of integrating the ever-increasing volume of security data into better security management and expanding monitoring. This challenge is not new, but it is rapidly becoming more burdensome. It’s time to think creatively about applying and understanding the security data we encounter every day before the new wave of information swamps us.

 |  |  |  |  |  | 
Jack Danahy
CTO and Founder, Barkly

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature