Light Dark
March 9, 2015 By Craig Roberts 3 min read
Mainframe

I have had the title of this blog post as the quote in my email footer for a couple of years now. Even after all this time, it still makes me pause for thought.

One of the biggest gaps I see that even large companies have is a lack of data or evidence. This seems to be at odds with the flashy focus cyberdefense currently has on big data. While I think many corporations technically possess the data, it is not available for use. Every day, we create 2.5 quintillion bytes of data, so much that 90 percent of the data in the world today has been created in the past two years alone.

What Comprises Security Data?

The more data you have, the more insight you can gain. This sounds a little cliche, but it is spot-on when it comes to security data. The following is what is classified as security data:

  • System Logs: “Craig logged in to system XYZ.”
  • Application Logs: “Application XYZ has processed Transaction UVW.”
  • Infrastructure Logs: “The firewall has blocked a packet from System XYZ to System UVW.”

Then, you add business context, such as the following:

  • GHI is PCI environment.
  • JKL is a critical business system.
  • This is external.
  • This is internal.
  • This is an admin user.
  • That is a high-transaction system.
  • This is my Virtual Private Network.

The Importance of Complete Data Evidence

So, you now have a pool of data that you can enrich with the context and vulnerabilities, network packet flows and current threat trends. This all increased our evidence, so why the absence?

This data isn’t complete enough. One of the biggest issues my clients have is this incomplete data set, and I sympathize with them. In a Fortune 500 company, hundreds of departments run systems you may not be able to access or see, or the workforce may have high areas of churn. Processing data is what computers are made to do, either through real-time correlation, highly structured queries, historical searches or even using trend data or anomaly analysis.

You just need to get the data. It starts with the security data, something that can be driven through an organization with the right executive authority and mindset in place and a structured program or project. The next stage is the business context, which is where the intelligence feeds in through consulting with the business. This can only be done with buy-in from the relevant areas. Once your data set becomes more complete, you get a huge jump in the success of your security tool sets. While you will never have a complete set, getting close to that nirvana is key to minimizing blind spots and data black holes.

What’s Ahead?

What gets me even more excited about this is what the future holds with cognitive computing. Not only can computers find trends and conduct anomaly learning, but they can mimic one of the greatest human traits: putting two and two together. If you see a system with Domain Name System (DNS) logs that gets hundreds of DNS requests to it with firewalls for Port 53 allowed from multiple sources, you can instantly guess it’s likely a DNS server. You can craft rules for computers to understand this, but it still requires human input.

Now, consider what something such as Watson™ could do by looking at the security data and building the business context. This is an amazing proposition. It learns your organization, allowing you to focus your limited resources on reacting to threats. While this situation is not “coming in Q2,” it is getting closer each day. Your systems can already learn trends and fire on above-average activity for certain systems on a per-system basis or with certain credentials.

With complete data, the evidence pool increases with higher confidence, so there is less absence. When that day comes, I will have to find a new insightful quote for my email footer. Until then, I will continue to remember that the absence of evidence is not the evidence of absence.

 |  |  |  | 
Craig Roberts

More from Mainframe
May 17, 2022

How dangerous is the cyberattack risk to transportation?

4 min read - If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

March 28, 2022

Low-code is easy, but is it secure?

4 min read - Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

December 15, 2021

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature