In the 21st century, many of the most renowned stories of business successes and failures boil down to the use of data.
Amazon, Google and Facebook all built their names on data, but even non-digital industries are increasingly data-driven. Sports teams now use data to build their squads, help optimise the performance of their players and devise tactics.
Not every organisation is cut out to be as successful as Liverpool FC or Amazon. Even with access to more data than ever, many businesses quickly find that they cannot leverage it to extract the insight they need to achieve decision advantage.
The same problems also hinder IT teams responsible for information security. With cyber threats evolving on a continuous basis, data is crucial for helping businesses detect and respond to malicious activity. Yet many teams often struggle to obtain the right data, understand and use it effectively.
The importance of telemetry
A failure to analyse the right security data can have serious repercussions for an organisation’s security. Blackspots in threat coverage and visibility that could mean that an attacker is able to move undetected through a network and exfiltrate sensitive information. According to independent research body, the Ponemon Institute, the average period of time that attacks go undetected is 206 days. By using data to help detect and respond to attacks earlier, organisations can reduce this time to minutes and significantly reduce the likelihood of breaches resulting in damage and disruption.
Sources of security data include log data from security systems, network devices, endpoints, operating systems and applications. Given the extensive list, it’s perhaps unsurprising that organisations struggle to identify and integrate the most relevant sources.
Avoiding common mistakes
Some IT teams make the mistake of thinking that they can protect their organisation with technology alone, but there’s very little point in investing in systems if they’re not fed the right data and configured correctly to reduce false alarms. Even the latest AI and machine learning technologies are ineffective without data and threat intelligence to help make sense of it.
A better approach is to identify the threats that pose the greatest risks to an organisation and select the tools and telemetry accordingly. Defining use cases is so important in this regard, otherwise businesses won’t achieve the desired outcomes and will focus efforts and budget in the wrong areas.
At the other end of the spectrum, some organisations make the mistake of trying to draw upon a volume of data that is too large. Because they lack the ability to process, store and manage it, as well as the people to analyse it, they are unable to extract any tangible insight. According to research by Oracle, only one organisations in ten is able to process more than 75% of its security event data.
MITRE’s ATT&CK Matrix is a recommend resource for understanding the telemetry needed to be able to better detect and respond to attacks. ATT&CK can be used to help identify and prioritise the threats that an organisation faces and then uncover the data sources needed to obtain visibility of them. For instance, to detect drive-by compromise attacks – attacks that compromise visitors to malicious websites – an organisation will need to rely on a wide range of data sources. These include data packets and logs from sources such as network devices, web proxies and network intrusion detection systems.
While technology and telemetry play a key role in shaping an effective data strategy, it would be unwise to overlook the importance of the right kind of human expertise. For organisations seeking to unlock the value of their security data, human ingenuity remains as vital as ever. This goes further than just having individuals on board with expertise using the right technologies. Harnessing knowledge of how hackers think, from people who understand them and know what to look for, is also crucial.
Achieving the right balance
For all organisations, attaining the deep insight to truly strengthen security operations begins and ends with becoming smarter around the use of data. The reality is that no organisation can ever hope to capture and analyse every piece of information. Even if they could, the cost would be unthinkable.
The trick to protecting organisations against cyber threats is to prioritise the right telemetry and ensure that the right people, systems and threat intelligence are in place to manage and enrich it. By achieving this careful balance, organisations are more likely to achieve the insight and outcomes they need to level up their cyber security in 2020 and beyond.
By Mark Nicholls, Redscan CTO
About the author
Mark is one of the UK’s most qualified IT security professionals. With extensive experience of delivering cyber assessment services, Mark is responsible for Redscan’s offensive and defensive capabilities.
Redscan is an award-winning provider of managed security services, specialising in threat detection and integrated response.
Possessing a deep knowledge of offensive security, Redscan’s experts are among the most qualified in the industry, working as an extension of clients’ in-house resources to expose and address vulnerabilities plus swiftly identify and shut down breaches. Services offered include accredited Penetration Testing, Red Teaming and Managed Detection & Response.
By understanding how attackers operate, leveraging cutting-edge threat intelligence, and offering highly acclaimed customer service, Redscan’s cyber security professionals can be trusted to provide the insight and support needed to successfully mitigate information security risk and achieve compliance standards.