Make 2019 the year for data-driven cybersecurity
by Mike MacIntyre, VP Product of Panaseer
If you look at the structure of the Board at an average mid-sized to large company, the most anomalous position is that of the CISO. It’s more often than not the newest C-level appointment and the one that is struggling the most to justify the RoI on departmental spend. It’s taken years for cyber to have become a Board-level issue, but now the rest of Board is paying attention, many CISOs are lacking the insight to know what to say.
With counterparts able to give a data-driven breakdown across line of business, departments, geography and time period, it’s inconceivable for CISOs to carry on relying on ‘gut instinct’ and justifying budgets via fear, uncertainty and doubt. The time is now for solid, data-driven decision-making capabilities, especially given the rapidly evolving threat landscape and an increasingly distant (cloud) and heterogeneous technology environment.
Drivers to change the status quo
Security has traditionally been seen as a department that hampers innovation, rather than an enabler for digital business and digital transformation. The CISO typically hails from a technological position and struggles to translate their operations in business terms. There is a clear disconnect when it comes to them stepping up to both pitch their needs in a way that the business understands (in line with its drivers) and back this up later with evidence of progress.
For CISOs that believe they have already embraced a data-driven future, the information they receive is either meaningful but not timely, or it is timely but not meaningful. This is because the content is too technical and siloed. For example, the preparation for Board reports or risk committee meetings can take weeks to produce (due to data extraction, curation and narration), so by the time it goes in front of those stakeholders it’s out of date and has consumed large quantities of the team’s time, which would otherwise have been spent on security.
Conversely, the data that’s available at short notice may be the total number of vulnerabilities, which has no place in a board report. Reporting isn’t the only use case for data science. Corporate entities are awash with data from a multitude of sources so there is no shortage of opportunity to dive in.
Where to start
Unsurprisingly, the market has seen a glut of security data analytics products that use maths to quickly identify the bad guys that are “inevitably” in your network and increase Security Operations Centre efficiency all through the use of Machine Learning or Artificial Intelligence (AI). It’s a problem that is ripe for data analysis innovation, but the realities are more intricate than many realise.
For a start, AI is mostly marketing hype applied to a small subset of machine learning techniques so don’t be fooled by how a product is branded. At best, the algorithms embedded in these products perform highly specialised analysis in a single field and have been trained on large volumes of data. This is a far cry from general AI, which is a system that can perform any generalised task and answer questions across multiple domains. That’s ok so long as you know what you are buying and are happy with the effort required to make it operational and know how to make it effective within your organisation.
Data science should not just be confined to the ‘detect’ space. It’s easy to understand how rapid identification of threats is appealing but it takes a slightly defeatist view that you can’t prevent attackers from breaching your defences. However, there are many opportunities for CISOs to use data to be more proactive in preventing threats from taking hold.
Using data to raise the general cyber hygiene of an organisation is an underserved use case. An automated metrics and measurement programme can tell you a lot about how well your control infrastructure is deployed, configured and managed. Many organisations currently use point in time assessments, conducted manually or via questionnaires to assess their control status. No modern organisation can genuinely believe this is a sufficient fidelity of measurement to feel confident that a control infrastructure is operating as expected or needed (particularly considering regulatory reporting needs).
Another example, linked to the cyber hygiene use case is the creation, management and maintenance of an asset inventory. Critical to understanding what you need to defend, many organisations have given up on keeping such a system up-to-date. However, there is no reason that this has to be done manually.
A particular benefit in these preventative data analysis use cases is that as well as delivering insight into where defences might be weak and at risk from attack, it can drive down the noise that plagues some of the detect solutions and can increase the effectiveness of the AI algorithms, as well as traditional rule-based detection. Given that the attacker signals are generally pretty weak in the data, this can have tremendous benefits.
Aligning cyber to the business
Regardless of the objectives of a data science program or product a common theme is still the need to make it relevant to the business. Data science will only be successful if you can instrument, capture, move, combine and analyse data that covers the technical infrastructure (e.g. Endpoints, Network, Authentication, Vulnerabilities), the business context (e.g. Asset management, CMDB, application architecture, business processes), the identities that interact with these systems and processes (e.g. HR data, Identity Management) and threat intelligence that’s pertinent to your business or sector.
Tackling business relevance leads the CISO to an unusual opportunity. Many organisations attempt a homogenous, “one size fits all” security solution. However, with security control performance measurement, contextualised to give each geographical region, business unit or product line their personalised view of security, the informed CISO can ask each group to set their own risk appetite which can now be successfully tracked and monitored. This elevates them to an agile business operator where they can divert sparse resources to the most relevant (risk averse) parts of the business.
This holistic visibility is challenging to acquire but with modern data analytics products, it’s by no means unattainable. To action the CISO needs to consider whether they have the team and resources to build such an analysis capability. Data scientists are not commonly found in security functions and those assigned to the business are often distracted by revenue generating problems. If the CISO doesn’t have the resource, then they need to be clear on how they can meaningfully evaluate vendors
The scale of setting up such a programme can put many people off, not least those that have been in post for some years and may not be ready or willing to expose the painful realities that have built up on their watch. However, you have the opportunity to start small and build out the capability incrementally. Taking two years to develop a polished data collection program is the wrong first move to data-driven decision making. A great starting place is to look at how you can automate the repetitive tasks that your team spend a disproportionate amount of time sorting out, thus freeing them up to focus on the other problem you never thoughts you’d get to.
Having accurate and up-to-date data at your fingertips means you can stop security becoming blockers to the business by being more agile and relevant and bring security into the digital revolution. The future for security is data-driven. The journey to get there is fraught with uncertainty, but should you succeed the rewards could be plentiful. Make 2019 the year you get started.