[BreachExchange] Why a Healthy Data Diet Is the Secret to Healthy Security

Destry Winant destry at riskbasedsecurity.com
Thu Sep 6 23:34:17 EDT 2018


https://www.darkreading.com/risk/why-a-healthy-data-diet-is-the-secret-to-healthy-security-/a/d-id/1332718

In the same way that food is fuel to our bodies, data is the fuel on
which our security programs run. Here are 10 action items to put on
your cybersecurity menu.

Most medical professionals would agree that a healthy diet plays an
important role in a healthy lifestyle. On some level, it's not
difficult to understand why this is the case. Food is the fuel on
which our bodies run. Most of us feel pretty good after a meal
consisting of fresh fruits and vegetables, lean protein, and whole
grains. On the other hand, if most of our meals regularly consist of a
few hot dogs and a slice of cake, we likely won't feel very healthy
over the long term.

I am certainly not a nutritionist, but I am definitely a firm believer
in "everything in moderation." Consequently, there is an important
security lesson that nutrition can teach us. In the same way that food
is fuel to our bodies, data (for example, various type of information
and intelligence) is the fuel upon which our security programs run. A
healthy data diet is the secret to a healthy security program.

While many security programs focus on what to do with the data they
receive, far fewer spend enough time on the quality of the data they
receive. As the saying goes, "garbage in, garbage out." Your
organization might have talented people, great leadership, efficient
processes, and the latest technology. But if the data feeding
day-to-day security operations is of poor quality, it will bring down
the entire security organization. A security organization with the
potential to be great will be reduced to simply being mediocre or
good.

How can security organizations improve their data diets? Here are 10
action items to put on your security menu:

Item 1: Make sure intelligence is actionable.
Whether open source or paid, intelligence sources abound. But if
intelligence is not actionable, it can be hard to leverage efficiently
on a day-to-day basis. Further, unreliable intelligence can actually
do more harm than good by drastically increasing the number of false
positives a security team must address.

Item 2: Consider context.
A piece of information without context is just that — information.
Intelligence requires context. Context guides us as to how to take a
piece of information and apply it within our environment. Without
context, the chance that we will pollute our work queue with noise is
high. Context helps to ensure that we maintain a healthy intelligence
diet.

Item 3: Don't just report on vulnerabilities.
We've all seen vulnerability scans that return a giant list of
problems. But what does all of that data actually tell us? If we don't
assess the impact of the various vulnerabilities and prioritize
accordingly, we won't learn much of anything at all.

Item 4: Tie vulnerabilities to risk.
If you have an idea of the impact of a vulnerability, you can look to
tie it to the risks and threats you're looking to mitigate. Making
this connection allows an organization to understand how
vulnerabilities affect risk. This, in turn, allows for a logical,
calculated approach to address vulnerabilities rather than trying to
do so qualitatively.

Item 5: Manage your supply chain.
Do your vendors have vulnerabilities and could they introduce risk
into your organization? Join the club. But what are you doing about
it? Are you working with vendors to assess their security postures,
identify and prioritize gaps, create action items to address those
gaps, and ensure that the issues are resolved? If not, you're probably
generating lots of data on supply-chain risk, but you're not feeding
your security program a data diet it can use to improve the situation.

Item 6: Feed the work queue with risk-driven alerts.
Alerts sent to the security team's work queue should be based on risks
and threats that the organization is looking to mitigate. That is the
only way that an organization can ensure that the queue is filled with
alerts relevant to the risk it is looking to mitigate. The downside:
Your organization will consume a data diet bloated with irrelevant
noise.

Item 7: Shrink the rack.
Once upon a time, organizations required numerous highly specialized
data sources to provide them visibility into their threat landscape.
Over time, the volume and variety of those data sources increased
dramatically in tandem with network bandwidth and network topology
complexity. At the same time, advances in technology have allowed for
the requisite visibility to be provided by fewer data sources. This is
a great way for organizations to ensure that they get maximum value
with minimum noise from their data diet.

Item 8: Move up the stack.
Many organizations feed a steady stream of Layer 3 or Layer 4 data to
their security teams. But what does this data, with its limited
context, really tell us about modern attacks? Unfortunately, not much.
Attackers have moved up the stack to Layer 7 of the OSI model. It's
time that organizations do the same.

Item 9: Focus on data value.
There is an overwhelming tendency for organizations to focus on the
volume of data they collect. For example, you'll hear organizations
say things like "we collect 4 billion event logs per day." But what
does that tell us about the relevance of the data to incident
response? Not a whole lot. Focusing on the value and relevance of data
to security operations is a much more reliable way to ensure that we
are feeding our security programs the appropriate data diet.

Item 10: Ask better questions.
In security, asking the right question is often more important than
getting the right answer. Asking the right question (or questions!)
allows us to tailor the queries we run, the intelligence we seek, and
the data we collect.


More information about the BreachExchange mailing list