Share and earn Cybytes
Facebook Twitter LinkedIn Email

Are you tired of vendors with point solutions telling you that, if you would have just had their application installed, they would have saved you from last week’s WannaCry ransomware attack

Do you need yet another system pushing volumes of data to another pane of glass? Are you confident that your existing investments in defenses are performing at their best? How do you know when unexpected control coverage changes occur? 

In the aftermath of WannaCry and its variants, our inboxes have been flooded by the thinly-veiled “Buy me, and you’ll be safe!” promises of vendors. This is a logical fallacy. After all, every vendor that came before made the same claim. 

Simply put, solving problems that lie in the past will remain out of reach until time travel finally becomes an available tool for security operators. 

The Path to Security Entropy

In times of darkness, as this latest attack proved to be for many organizations, it is tempting to seek a beacon of light, and security vendors are experts at holding up a light in the darkness, attempting to attract the maximum attention. 

But why are all of the other lights that were held up before suddenly so dim? Didn’t these solutions promise to keep you out of the dark? When you first implemented them, weren’t they doing what they were supposed to? They probably were. But, as you implemented more and more of them, it became increasingly more difficult to gain an understanding of what each solution was contributing to the overall security of your organization. 

Client Success Story: GreySpark Empowered SRC to Transform Their Risk Reporting

As volume and variety of security telemetry multiply, the time-slot allotted to maintaining the effectiveness of each solution decreases. And, like any highly ordered system in the absence of structured perpetual maintenance, gradual decline to disorder ensues – one might call this natural “security entropy.” 

Before reaching for the next new technology, you owe it to yourself and your organization to have a firm understanding about the performance of your existing investments. 

We already know you cannot dedicate the equivalent time that was required to implement each solution again; there are likely too many to handle, and there is not enough time or budget to bring in vendor or third party resources.

Business Intelligence for Security Operations

In 2015, Gartner described what was missing as “security operations, analytics and reporting” (SOAR) – a system that would analytically combine and rationalize cross-vendor security controls and enable security operations to “automate and prioritize security operational activities and report data to inform better business decision-making.” 

In government circles, the same capability is often referred to as Continuous Diagnostics and Mitigation (CDM). Regardless of what you call it, the capability is business intelligence (BI) for security operations. 

In security, we are frequently focused on picking important events out of an ever-growing number of mundane ones. With the rapid expansion of IT systems and data, the amount of mundane data we must sift through just to decide what is important is unwieldy, if not outright unmanageable. Therefore, before we can elevate the important from the mundane, we need to reduce the latter significantly. 

As with BI in other industries such as supply chain or retail, BI in security operations (SecOps) enables operators to cut through the noise, create business or mission-relevant key metrics, and automate diagnostic paths and remediation through analytics and integration.

While implementing our SecOps BI solution (GreySpark) for clients, experience has shown that 80 percent or more of events generated across an enterprise’s security infrastructure are of the mundane variety. These events, although generated by security sensors, are seldom of direct security concern. 

Free Demo: Simplify the Complexity of IT Risk with GreySpark

For example, a misconfiguration of a message length from a router might generate hundreds of thousands of syslog events. A missing patch or upgrade on another sensor will do the same. Or a simple DNS misconfiguration will cause security systems to generate a flood of nonsensical telemetry that drown out anything important.

Using GreySpark, it only takes minutes to identify these situations and schedule them for remediation. Once most mundane events are eliminated at the source – instead of being suppressed or tuned out – the remaining stream of security-relevant events becomes manageable. Furthermore, with the noise eliminated, you can drive prioritization with meaningful cross-vendor solution metrics. 

Why Are We Talking About WannaCry?

So, why am I discussing this in consideration of WannaCry and its variants? Because we are not yet another vendor promising to solve yesterday’s problems today, and we are not pretending to definitively know the future, either. 

However, we do know that you will not be able to optimize and prioritize your security investments if you cannot cut through the noise to make sense of security telemetry. 

With WannaCry, as with most impactful cyber attacks, after-the-fact investigations show all the signs were present leading up to it. You might imagine how scans have been showing CVE-2017-0143 (one of many) as a vulnerability for months, while patch management systems had the critical MS17-010 patch at the ready, but it was not deployed. 

If we knew about it, and a patch was available, there seems to be no excuse. WannaCry should have been wanting for targets – maybe not from individuals, but certainly in larger organizations practiced with maintaining mission-critical systems and sensitive information.

Unfortunately, the symbolic “warning light” on the security dashboard was only one of thousands – culled out of millions of mixed mundane/important events – all vying for the attention of SecOps. When the Shadow Brokers hacker group leaked the Windows SMB exploit, it became “just one more thing” that went under in the din of warnings and alerts.

Regaining Confidence in Cyber Defenses

The Shadow Brokers hackers have promised to establish the “wine of the month club” of zero-day exploits. Meanwhile SecOps across the globe are busy patching, configuring, enhancing and retrofitting controls and sensors to prevent the last attack.

But what about the next one? 

We think we might be better prepared, because we will pay more attention to the warning signs. The reality, however, is there will again be many signs, and discerning the mundane from the important will be as difficult as it was with WannaCry.

Every day, security operators go through the motions of identifying and blocking threats, responding to industry alerts and working off the never-ending list of vulnerabilities. Tracking and measuring these activities is important, but it is not sufficient. Understanding SecOps performance requires metrics that go beyond activities and completion schedules and provide an effective feedback loop using key risk, performance and control indicators

Due to the variety and veracity of security data, these metrics cannot be calculated directly from disparate sensor sources. Rather, a metadata set of core metrics can be derived that creates mathematical compatibility. Only then can fact-based, consistent key indicators be used to monitor performance in SecOps – and this is another core benefit that BI for SecOps provides.

While we are busy closing obvious chinks in our security armor, we need to be leveraging BI for SecOps analytics to regain confidence in the overall security posture our investments in security provide. Using BI will reduce the volume of events to consider while normalizing the variety of data sources into manageable metrics and diagnostics.

Exceedingly well-resourced SecOps organizations will be able to use commercial and open-source analytics tools to normalize, categorize and quantify security telemetry into metadata suitable for this kind of analysis. For most organizations, however, these capabilities are beyond reach

For them, we offer GreySpark – a BI analytics system purpose built for security operations.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About FourV Systems
FourV is dedicating to improving the operational performance of IT security programs by empowering leadership to make decisions instead of spending time analyzing data.
Promoted Content
Cyber Security Translation Guide for CISOs
Communicating the Benefits of an IT Security Investment Can Be a Challenge As a chief information security officer (CISO), you know how important it is to invest in the appropriate IT infrastructure in order to keep your business and its assets safe. The difficulty, however, is often communicating the urgency and importance of those investments in a way that resonates with other stakeholders in your organization. This free on-page guide will teach you how to best position your messaging when speaking to non technical leadership.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?