Is it time to rethink data centralization to aid cybersecurity investigations? [Q&A]
Security Information and Events Management (SIEM) has become the keystone of many organizations' security strategies in recent years.
But is it effective? And in the era of greater cloud and SaaS use, is the time right for the concept of SIEM to undergo a radical rethink? Andrew Maloney, COO and co-founder at security investigation specialist Query.AI thinks it is. We spoke to him to learn more.
BN: Enterprises have spent years of effort and millions of dollars to centralize data to effectively respond to cybersecurity incidents. Your view is we need to rethink that. Why is that?
AM: For more than 20 years, companies across the cybersecurity industry have tried to create a universal centralized repository for enterprises to put all their data in one place. The idea was to streamline security investigation and response. That approach was conceptually sound initially when data volumes were small and data sources were primarily from network devices, but then data began to explode. Today, the data volumes are enormous, and data is also highly distributed. It seems every organization we talk to has adopted not one cloud technology but a combination of AWS, Azure and GCP cloud infrastructure technologies. In addition, the rise in adoption of SaaS applications is leading to the replacement of traditionally on-premises technologies like endpoint (EDR), identity, threat intelligence, vulnerability information… And the list goes on.
Data doesn't live in one place anymore. It lives in the cloud, with third-party providers, and on-premises. It is extremely difficult, costly, and inefficient to send that data in and out of these environments. As such, the antiquated universal data centralization approach has become impossible. Holding on to this ideology prevents organizations from quickly accessing, investigating, and responding to threats across their ecosystems. It creates some serious inefficiencies in cybersecurity investigations, which is giving adversaries more time to dwell in any given environment and more time to move laterally to aggregate and exfiltrate data.
BN: Can you elaborate on that investigation inefficiency and how enterprises can address it?
AM: Absolutely. One of our customers is a global law firm with more than 7,000 employees in 45 countries, and a large security operations infrastructure to manage. The team had to use 20 different syntaxes to look at 20 different systems, and that was supported by manual analysis. It could take them up to an hour to answer an inquiry as simple as, 'what other system has been to this domain?'
The firm initially adopted a SOAR platform to improve the incident response process, but this exacerbated the problem. It required a significant amount of time to manage the API integrations. Building each playbook was a dedicated software engineering effort that required an understanding of what data its analysts would need, which didn’t work since each investigation is dynamic.
To address this multifaceted challenge, this law firm implemented a control plane that overlays all of its data silos to access and analyze data in real-time directly where it lives. This enabled the firm to gain centralized access to decentralized data and gave it one unified browser interface for handling triage and investigations across security tools. With a single question, the team now gets a collective answer for all of the relevant systems, which is reducing analyst burnout associated with chasing low-fidelity alerts and amplifying their potential.
BN: What else needs to change?
AM: Collectively, we need to make security analysts' jobs easier. As the example I described above illustrates, tool bloat has ironically added more manual burden to SOC teams. The skills gap and talent shortage are hard enough for CISOs to manage, so they need to focus on what they can control.
One of the biggest challenges for security team members is learning the ins and outs of every solution in the organization’s security stack, each of which requires its own search syntax for conducting triage and even the most basic investigation. In addition, team members have to pivot between these technologies to manually connect the dots on alerts and conduct investigations. These requirements make it difficult and expensive to find the right talent, time-consuming to train junior resources only to have them leave when they develop more advanced skills, and exhausting for security analysts to do their jobs. Enabling staff to analyze their security data in a language, location and platform-neutral way from one place really changes how companies can tackle the skills shortage. It dramatically increases analyst productivity and effectiveness, and reduces burnout and turnover by providing analysts with better work environments.
BN: How has the 'COVID effect' of more people working from home impacted security teams?
AM: In my conversations with CISOs during the earliest days of the pandemic, they didn't seem concerned about not having the right capabilities to secure the shift to remote work. They were more concerned about not being able to purchase and deploy corporate assets with the proper controls in place. This brought about a resurgence in BYOD security issues and accelerated the shift toward zero trust models to ensure employee devices could access networks and applications with the least number of privileges necessary.
Fast forward to now. With most companies shifting to hybrid work models, they are more fluidly moving between home and office networks and working on different types of devices. This further dissolves the security perimeter, making it important to double down on zero trust and invest in technologies like SASE and security asset management. In addition, the hybrid workplace changes the threat landscape with more concern for ransomware and phishing attacks, which requires accelerated investigation and incident response.
BN: How important is it to stay one step ahead of the bad guys?
AM: The major cyberattacks of the past year demonstrate that adversaries arguably have the upper hand. Having said that, what is important here is to be prepared and the first step is understanding your environment. This means auditing every function of the company to clearly understand the ‘crown jewel’ data most important to the business. Rigorous analysis of the business will uncover potential gaps and blind spots in the security architecture that needs to be addressed. From there, security leaders need to work with the executive team and the board to determine what keeps the company’s leadership up at night to help prioritize their efforts based on overall risk tolerance.
Companies need to have a well-established and well-practiced incident response plan for if and when they are attacked. The 1-10-60 rule applies here -- one minute to detect an attack, 10 minutes to investigate it and 60 minutes to remediate it. Unfortunately, the time it takes to investigate across expanding environments makes this rule hard to meet. With everything so decentralized, security teams need to be in a position to ask and quickly get answers to the right questions to contain the threat. They need to be able to gain real-time access and centralized insights without having to send data in and out of cloud, SaaS, and on-premises environments. These capabilities are here today, and companies now need to choose whether to keep doing things the way we've always done them or to accelerate investigations and efficiently respond to threats.