We live in a data-driven world. It powers critical decision-making in industries as diverse as healthcare, financial services and retail. But is data king when it comes to cybersecurity? For security operations (SecOps) teams struggling with alert overload, there is something more important than raw data. In reality, it is evidence – contextual understanding of what the data means – that is needed to enhance network defenders’ detection and response capabilities.
From Data to Evidence
Data can more accurately be thought of as a precursor to evidence. It’s collected from networks, endpoints, on-premises and cloud infrastructure, applications and even people. The sheer volume collected in large enterprises can soon become overwhelming. But where do you store all that data? How long do you need to keep it? How do you correlate it to make sense of it? And how can it be turned into evidence to confidently illuminate what happened and when?
On the other hand, evidence begins with the data but extends and enhances it through contextual enrichment and correlation. Adding context could mean using relevant asset data from configuration management databases (CMDBs) and information on CVEs, GeoIPs, block/allow-lists and other sources. Correlation is about connecting events in a sequential manner. Organizations need this evidence, with its context and correlation, when deciding whether an event should be categorized as an incident, intrusion or breach. That can have significant implications for how and to which relevant stakeholders and regulators it is communicated.
Streamlining SecOps
The challenge for SecOps teams is that they often struggle to extract sufficient evidence to focus and prioritize their detection and response efforts. This is critical because the average security operations center (SOC) team has to manage 51 incidents per day. Recent research revealed that nearly half (46%) of such teams feel they are “inundated by a never-ending stream of cyber-attacks.”
Take a typical SIEM tool. In its simplest form, it collects data from different sources and sends alerts on potential security threats and vulnerabilities. Given that it can be collected passively to avoid detection by threat actors and is immutable, network data is a key source of evidence. But collecting and alerting on isolated data sets related to protocols (e.g. HTTP, DNS), the timing of the network sessions (e.g. human keystrokes over SSH) or encrypted traffic metadata (SSL, RDP, SSH, etc.) is not sufficient. It will only overwhelm the SecOps team with alerts.
Instead, data must be parsed, analyzed, normalized, contextualized and correlated to truly elevate defenders’ capabilities. When supported with machine learning analytics in a fast, intuitive search platform, comprehensive network evidence like this can dramatically enhance and accelerate the speed of SecOps. It will empower human analysts to swiftly prioritize actionable alerts, freeing up more time for hunting and response and providing a pool of raw data that can be consulted to determine what happened and how.
The bottom line is that evidence powers detection. This will not only help to keep organizations more secure but also supports better informed post-incident decision-making and notifications. In an increasingly rigorous regulatory climate, the reputational and financial implications of this alone make it a strategy well worth pursuing.