Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SecOps. Show all posts

Altering Data Into Evidence May Elevate SecOps Success


We are a generation that lives in a data-driven world. It drives every critical decision-making process in a diversity of fields ranging from healthcare, and financial services to retail services. But is this data well protected in terms of cybersecurity? 

When dealing with alert overload, security operations (SecOps) require something more crucial than just the raw data. In reality, it is evidence – a contextual understanding of what the given data implies – that is required in order to strengthen the defenders’ and response capabilities. 

From Data to Evidence

Data can be evidently described to be a pioneer of evidence, for it is acquired from a collection of networks, endpoints, on-premises and cloud infrastructure, applications, or even individuals. 

One can estimate that the massive amounts of data could rapidly become overwhelming. However, where should this data be stored? How long must it be stored? How do you correlate it in order to comprehend it? Moreover, how can it be used as evidence to firmly shed light on what happened and when? 

While evidence begins with the data, it extends and advances via contextual enrichment and correlation. Here, adding context to data could be interpreted as utilizing relevant asset data from Configuration Management Databases (CMDBs) and the information present on CVEs, GeoIPs, block/allow-lists, etc. 

The goal of correlation is to link related events in a particular sequence. When assessing whether an event should be labelled as an incident, intrusion, or breach, organisations need this evidence, with its context and correlation. This will significantly impact how and to which relevant stakeholders should the information be disseminated. 

Streamlining Security Operations: 

One of the challenges confronting the SecOps team is how they frequently struggle to gather sufficient proof, so as to indulge and prioritize their detection and response operations. This is rather critical, for an average Security Operation Center (SOC) team has to monitor at least 51 incidents on a regular basis. According to recent research, almost half of these teams (46%) believe they are "inundated by a never-ending torrent of cyber-attacks." 

For better understanding, take a typical SIEM tool for an instance. The tool, in its simplest form, acquire data from varying sources and further sends cautionary alerts of potential security threats and vulnerabilities. Network data thus makes a crucial source of evidence, since gathering and monitoring the data passively aids to evade detection by threat actors or vulnerability. 

However, collecting and monitoring isolated data sets pertaining to protocols (HTTP, DNS for instance), the timing of network sessions (human keystrokes over SSH), or encrypted traffic metadata (SSL, RDP, SSH, etc.) is not enough. Since this would only load the SecOps team with alerts. 

Data instead should be segregated, analyzed, contextualized, and correlated in order to effectively enhance a defender’s capabilities. Moreover, with the help of machine learning analytics in an intuitive search platform, comprehensive network evidence as such could further enhance and accelerate the operations of SecOps. In addition to lessening the time for search and response, it will enable human analysts to prioritize actionable alerts and create a pool of raw data that can be analyzed to ascertain what happening and how. 

The evidence thus powers detection. Not only will this aid security in an organization, but will also assist better informed post-incident decision-making and notification. The reputational and financial ramifications of this alone make it a strategy worth pursuing in an environment where regulations are becoming more rigorous.