Share and earn Cybytes
Facebook Twitter LinkedIn Email

Today’s security operations (SecOps) have been elevated from a specialized function performed silently in the depths of organizations to a mission-critical operation talked about widely in the news and heatedly in boardrooms.

With the notoriety SecOps enjoys comes responsibility for practitioners, whose purpose is to ensure the confidentiality, integrity and availability (CIA) of information resources. 

In 1999, Bruce Schneier advocated for application of the common IT people, processes, and technology (PPT) paradigm to information security – in order to push the idea that security could not be successful as a “technology only” operation.

Since then, others (and Mr. Schneier agrees) have advocated again for emphasizing technology over people and process because, “The IT security world has become so complicated that we need less in the way of people and process, and more technology.”

I think – and many others agree – trust me (see below) – that PPT requires a new letter: A, for analytics. Specifically big data and machine learning analytics.

Today’s SecOps technology produces security telemetry (Syslog, SMTP, other) that satisfies the “Four V’s of Big Data” – volume, variety, velocity and veracity – and it therefore needs big data analytics that can reduce and rationalize security data across across all security vendor platforms into business operations and compliance contexts.

How Did We Get Here?

At first there was the computer, and we started putting our sensitive data and processes there. Security on these was no different than it was before the computer. We simply took the floppies and locked them up – same as we used to do with documents or pictures. 

Sure, there were a few worms that distributed via floppies, but they were mostly pranks and the extent was manageable. 

On-Demand Webinar: Revolutionize Your Reporting with Key Risk, Control and Performance Indicators

Then we started linking those computers together – initially via modems and early versions of chat rooms. Eventually we went “total network” via the internet, which then led to mobile, cloud and all the other forms of computing that, today, represent the interconnected mainstay of business operations. 

When businesses and individuals “went digital,” the stage was set for the massive escalation of criminal activities perpetuated at a distance, and that has brought us to the current arms race between cyber criminals and defenders. 

It Is Where the Money Is! 

With the rapid proliferation of interconnected technologies and platforms, comes what some have described as the “Cambrian Explosion” of data. This is in reference to the relatively short period in the Cambrian period, which is when the lineages of almost all animals living on earth today evolved.

This has led some analysts to conclude that, today, the world’s most valuable resource is data (formerly it was, unsurprisingly, oil). And this is a resource which, rather than deriving value from scarcity, derives value from its abundance.

Cyber crime – like most forms of crime – follows the money.

Awash in a Sea of Data

These volumes of data are swelling our attack surface areas and strain our cyber defensive systems that must continuously comb it for threats. As technology inspects the traffic, it generates its own data streams that grow with the volume of data inspected, the number of technologies deployed and amount of threat activity encountered. 

Since none of these factors is expected to retreat in the near future, security practitioners find themselves awash in a sea of data – data that is generated by dozens of security systems, all continuously pushing these streams to panes of glass for humans to consume. Add to this an acute shortage of cyber security talent, and it is clear that the current model is failing.

Incidentally, what will happen when the data-volume grows by an order of magnitude with the proliferation of interconnected machines, such as the internet of things (IoT)? There are estimates that the amount of data produced will double every two years (today, we are at 2.5 exabytes/day), and that this is going to be primarily driven by machine-generated data.

In other industries, when the data volume and complexity overwhelmed the user’s ability to comprehend it at the speed required for business operations, business intelligence (BI) analytics tools were brought to bear. Supply chain, retail and marketing analytics are prime examples, where entire industries were born around analytics and data management, which was specific to these use cases.

When the tyranny of the urgent blinds us to what is important, it is clearly cyber security’s turn for a BI solution.

People, Processes, Technology and Analytics (PPTA)

People, processes and technology (PPT) are three words that comprise the standard categories of cyber security operations. 

Unfortunately, with the volumes and complexity of data we are experiencing, we have lost the ability to fully understand the performance of our security operations. This is particularly true in the technology area, where each additional system creates yet more data and makes it nearly impossible to understand the implications of each system on all the others that came before it – never mind our inability to continuously maintain and manage an ever-growing stack of security technology.

Fortunately, through the development of big data analytics, machines are getting good at really big and complex data flows. 

Born out of these capabilities and the urgent need described above, is what Gartner calls security operations analysis and reporting (SOAR). SOAR is BI for SecOps, and Forrester includes these capabilities in continuous diagnostics and monitoring (CDM), while NIST has taken it a step further defining CDM as continuous diagnostics and mitigation.

I believe it is time to add an A – PPTA – to the way we understand, measure, monitor and optimize security operations. Frankly, the evidence is in that there is no other option.

GreySpark: Business Intelligence for SecOps

FourV has been building SOAR systems since long before SOAR was a term. GreySpark is a SecOps BI platform that helps organizations:

Continuously measure risk and performance indicatorsInvestigate events using analytics-guided diagnosticsVisualize controls coverage and effectivenessBenchmark and compare security performanceAutomate risk and controls reportingPrioritize and optimize security operations

GreySpark requires only the data that existing security technologies are already producing. It deploys in days or weeks – never months or years – and immediately reduces and rationalizes security data across all security vendor platforms into business operations and compliance contexts.

Final Thought

There is no magic to building SOAR systems. However, using a big data analytics platform – like GreySpark – empowers you to create a data lake of security telemetry; select, normalize, categorize and quantify appropriate portions of the data into metrics metadata; machine learn patterns; generate metrics; create UI and build reports; and wrap DevOps around this to ensure consistency, scalability and availability of the SOAR system.


Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About FourV Systems
FourV is dedicating to improving the operational performance of IT security programs by empowering leadership to make decisions instead of spending time analyzing data.
Promoted Content
Cyber Security Translation Guide for CISOs
Communicating the Benefits of an IT Security Investment Can Be a Challenge As a chief information security officer (CISO), you know how important it is to invest in the appropriate IT infrastructure in order to keep your business and its assets safe. The difficulty, however, is often communicating the urgency and importance of those investments in a way that resonates with other stakeholders in your organization. This free on-page guide will teach you how to best position your messaging when speaking to non technical leadership.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?