Why enterprises need a complete data strategy [Q&A]

Thanks to eCommerce, IoT devices, social media and more, organizations are collecting larger volumes of data than ever before. But often this is on the basis that they collect everything and work out what to do with it later. An approach that opens them up to risk that data can be misused.

We spoke to open detection and response firm Corelight's CISO Bernard Brantley, who believes organizations can implement a complete data strategy, allowing them to work backward from risk to raw logs and create a supply chain that generates information critical to risk reduction activities.

BN: How do organizations need to go about re-evaluating their data strategy?

BB: There are five steps critical to developing a complete data strategy that allows an organization to generate information critical to risk reduction activities:

1. Gather relevant data -- Leverage risk assessment activities like threat modeling to determine which log types and attributes provide your team the most value. Try starting with a use case so you can maximize the information from already collected logs before onboarding lower value logs.
2.  Do the work up front -- Forget the inefficient ad-hoc queries and instead categorize and classify activities within logs. Supporting analytic workflows, defenders can build dashboard-like views of relevant activities, spot short-term and long-term trends, and identify blind spots in coverage.
3. Listen to stakeholders -- If the business is unable to translate security outputs into action, there is no value. Incorporating business logic into the way security teams craft outputs can provide additional analytic value through the logs they collect.
4. Consistently re-evaluate -- The ability to learn, unlearn and relearn is essential to gathering additional context through the collection of additional log types or the fusion of previously disparate data.
5. Unrestricted additions -- Adding additional log types, transformation processes, or generating new outputs should be unlimited. Your data strategy and supply chain architecture must allow for friction-free and timely implementation so teams can develop new use cases.

BN: Is a security information and event management (SIEM) platform enough?

BB: As threat hunting teams move towards resilience and data-driven security, they need data providing visibility to everything that is happening in the network, not only event data like alerts. More data means more volume, stretching the SIEM to its limit. Hence why a growing number of defenders are actually using two SIEM platforms, the goal being faster search and a path to custom analytics at a reasonable cost.

That being said, having two is not necessarily ideal. Large institutions can afford it and have the people power, but it's still cost prohibitive for 95 percent of other organizations who don’t have a dedicated team or the ability to deploy and maintain a security data lake.

Organizations often implement a data collection strategy out of fear of missing something. I challenge the assumption that we must collect everything and determine its usage at the point of incident.

BN: How can a refined data strategy influence an organization’s risk assessment activities?

BB: When teams put parameters on what to look for, what to store for ongoing and future analysis and ensure its an iterative process, they're no longer needing to boil the ocean to obtain the outcomes they need. The long-term benefactor here the risk assessment, which can then be conducted in a time efficient, highly collaborative and communicative manner enabling teams to understand and get to the truth sooner.

BN: What is the value of evidence in a complete data strategy?

BB: Security teams need facts to build a case for innocence or guilt. They value evidence, but that doesn’t mean they’re executing an evidence-based strategy. It is imperative that we view our evidence as raw materials in the intelligence supply chain and seek opportunities to extract maximum value. This can buy teams time through proactive structural change and help avoid unnecessary impact from adversaries.

Defenders can use evidence proactively to identify and protect structural risks within their zone of control. Evidence can also be used reactively by supporting detection (re)engineering, response, and recovery activities. It is impossible to avoid a security event, but which side we spend most of our cycles on is dependent on our overall data strategy and how we nurture our evidence.

BN: Looking ahead, what are the two biggest risks facing organizations' security teams in the new year if they don’t tweak their data strategy?

BB: There is really a single risk with two separate levels of impact. Without tweaking their data strategy, defenders will be unable to discover and exploit relationships within the data in a durable way. As a result, opportunities to collaborate within or across teams to further develop an inclusive security program will remain a blindspot. The data that we hold today contains more than context for event-event level data. Each data source represents the sum of operations for a given team toward an outcome. The contextual ties across data sources represent known and unknown interactions between those teams; engagement points that can lead to more efficient and complete operations.

It will also be difficult to leverage automation around detection and incident response workflows that aids explainability; the stories that we're able to tell about our data. Strong narratives are the primary tool in converting domain specific (security, business, etc.) information into institutional knowledge. Without them we will continue to miss opportunities to affect culture-impacting change and security teams will struggle to socialize their true value beyond the security organization.

Image credit: ml12nan/depositphotos.com