3min. read

It’s not about collecting everything. It’s about collecting what you need and having the right people, process and technology to help improve cybersecurity outcomes.

In recent years, organizations of all sizes have been collecting increasing volumes of traffic and application telemetry data from different devices, logs and services. Much of it is leveraged to inform operational and strategic decisions. However, this same data also has the potential to significantly strengthen an organization’s security posture—but only if it’s processed and used effectively.

To strengthen cybersecurity, there is plenty of data that organizations can and do collect to understand what’s happening inside their environments. It comes from log files, system events, network traffic, applications, threat detection systems, intelligence feeds and myriad other sources. However, the sheer volume of this data can pose a significant challenge as organizations look to extract value from what they’re gathering to inform security policy, threat detection and risk mitigation.

If your systems can’t process the data you collect, they won’t be able to make sense out of it and correlate what’s going on. In that case, you’re really just sitting on some dead logs. Adding to this challenge is the fact that collected data is often siloed in ways that can keep a security professional from connecting the dots to identify potential issues. Analysts should not have to look at 25 different screens trying to make manual connections, which takes additional time and effort that distracts from the primary goal of actually identifying threats.

As an industry, cybersecurity created this world where there are so many different point solutions out there that organizations have been effectively forced into becoming plumbers, connecting all these different solutions together. I think it’s time that we start to think about how we find a way that’s more automated and integrated because a lot of the tools that people are using were never designed to interoperate and work together.

Extracting Greater Value from Data with Automation and Playbooks

Collecting the right data and extracting the highest value from it is not a single task or operation. Rather it’s a journey that involves multiple components.

Technology. From a technology standpoint, have a look at what you’ve actually got. For starters, are the tools capable of actually identifying the modern threats? If they are not, then you’ve got a challenge there because you’re likely not going to be collecting any logs and telemetry to actually make an informed decision.

Automation also plays a critical role in extracting more value from data. With the volume of data that is being collected, even if it’s all the right data, individual humans simply cannot keep up. Automating the identification of higher value incidents from data that correlates and enriches simple log data and provides insight is a critical component.

People. Automation ties in directly with the people’s perspective on getting the most value out of data. Many organizations have security operations centers (SOCs) staffed with IT professionals working eight-hour rolling shifts, clicking on refresh all the time and simply chasing the logs. That’s not really going to help them find anything.

Adding further insult to injury, the first line of defense and analysis for data is typically a level-one analyst, who often will burn out within a year after the monotony of sifting through endless logs and deciding what needed to be escalated. Think about the logic: The least experienced and lowest paid person, is actually making a call to escalate an incident to a more senior person. It doesn’t make sense, and it’s time to change the model.

When automation is leveraged to handle the deluge of data, becoming the first line of the decision on what needs to be escalated, human talent can focus on the more intricate challenges like threat hunting. The easier a threat hunter’s life—where we can start to link all the disparate data sources to help chase potential risks, rather than just having to sift through alerts and large logs—the better.

Process. Finally, process is the key to continuous improvement and always optimizing the value from data. We need to go back to the drawing board all the time and keep on refining the data and technology that’s already in place. Organizations need to keep on creating playbooks to help aid automation. Anything that’s a repeatable task, organizations should be automating as much as possible.

With all the sources of security data available to the modern enterprise, it can be overwhelming to figure out what to do. By first understanding what security data sources the organization has, streamlining processes with automation and playbooks, and tying things together with technology to create a unified view, it’s possible to dramatically improve security outcomes.