There’s an old expression: When you’re a hammer, everything looks like a nail.
Therefore, is it right for a security company such as Devo to consider all data security data? Let’s examine that concept.
Recently I participated in a panel discussion at the GDS Security Insight Summit Europe with my colleague Dean Robertson who heads solution engineering for Devo in EMEA. The audience — approaching 50 CISOs from across the region — was asked whether they agreed or disagreed with this question:
A little more than one-third of the audience agreed with the question, a slightly larger number disagreed, and a small percentage said they didn’t know.
What does “security data” really mean?
Many of those in the audience (and many of you reading this blog post) may feel this was a trick question or it was too vague for you to provide a definitive answer without having much more information. That’s valid.
But if you parse the sentence, you can look at it in a couple of basic ways. First, when you see the words “security data,” are you talking about data that is output from one or more security products or solutions running in your organisation? If you take that perspective, then perhaps you narrowly define security data solely as information created by security technologies.
On the other hand, if you take a broader perspective, you could interpret security data to be all data that is important for the security of your organisation. From that perspective, security data is certainly more than just the output of technologies running in a SOC.
More data to secure means more security data
The proliferation of data generated by enterprises puts an ever-increasing burden on security teams. SOCs are successful when analysts have visibility into all data within the organization so they can leverage technologies — from next-gen SIEMs to SOARs and UEBAs — to detect, hunt, investigate and respond to threats quickly and effectively.
Threats and vulnerabilities can appear in any data located anywhere in an organisation. So, for effective data security, I believe enterprises need to view all data as security data and protect it accordingly.
Another key to effective data security is the ability to accelerate investigations by adding context through data enrichment. The data that is enriched can come from any part of the organization — finance, HR, sales, marketing, everywhere — not just the SOC. For example, information from HR systems about employees who have left your organization could be paired with authentication system information to identify possible misuse of former employees’ login credentials. This further reinforces the concept that all data is security data and can provide valuable information to security teams working to prevent or respond to threats.
Advances in technology have changed the game
One of the biggest reasons to consider all data to be security data is the rapid evolution of security technologies. When SIEMs first hit the market about 15 years ago, there were limits on how much data they could ingest and manage. And if you tried to store all your data in an early SIEM, the cost would be astronomical.
These limitations forced organizations to decide what data was “security data” and what data was not. The notion of using a legacy SIEM to manage all the data in your organization was simply not feasible. Legacy SIEMs simply didn’t have the capacity and horsepower to handle the ever-growing amounts of data generated by organizations. Fortunately, things have changed for the better. Recently, I spoke with a very large German manufacturing company that is proactively driving its digital transformation agenda. “New” data coming from cloud sources into its legacy SIEM product, had “crashed the SIEM twice.” So, it’s understandable why — historically — enterprises have had to make these kinds of decisions and “accept” these compromises.
Not surprisingly for a company that espouses its “no-compromise security architecture,” Devo fully embraces the idea that all data is security data. Putting all your data into a secure cloud environment and managing it with a next-gen SIEM enables your analysts to treat all data as security data, which creates far greater potential for enhanced enrichment and more precise context. Ultimately, this approach makes threat hunting and threat investigation faster and more efficient, significantly reducing MTTR. And crucially, at a time when enterprises have never been at greater risk from cyberthreats, it enables security teams to deliver on their responsibility to always keep their organisation secure and operational.
This post was originally published on the Devo blog.