While having the right tools to manage today’s influx of data is crucial, cybersecurity teams must also have the right skills to carefully comb through and classify this data.
The key to a successful cybersecurity architecture requires data-driven decision-making. To succeed amid the rapid growth of data demands a different approach to how we classify data across the cybersecurity field. Some data may not seem essential at face value, but depending on the use case, it can be applicable as secondary data and critical to an organization’s cyber protection.
To start, understanding the potential of different data sources while increasing data visibility must become more of a focus area for cybersecurity professionals to get the most value out of this secondary data. Analyzing varied data sets and integrating them with other data sources will drive more impactful security solutions.
All data can be valuable cybersecurity data
Traditional sources of cybersecurity data have included computer telemetry, network and endpoint logs, cloud logs, and SaaS logs. But In reality, anything can be a source of cybersecurity data when it leads to patterns that expose or highlight potential threats. For example, cybersecurity professionals can take seemingly disparate data to build a profile of an end-user, including how they access the network, what data or applications they are accessing on the network when they enter/exit buildings, etc. If data variance is detected, cybersecurity teams can be prompted to investigate.
In addition, some external data sources can be useful for cyber defenders. Data pulled from crypto wallets, network flow from large internet service providers (ISPs), or data from data brokers can also be useful assets. Open Source Intelligence (OSINT) research can also provide data such as email addresses, social media accounts, and other activity on the Internet that can help an analyst create new queries and investigative avenues to discover activity that is malicious or potentially malicious for a team to take action on.
See also: Cybersecurity Will Shift in 2023 Thanks to AI
Increasing data visibility and management
Once cybersecurity teams understand that all data can potentially be useful to strengthen their organization’s security posture, they will need greater visibility into the types of data they can aggregate and who has access to it. Organizations that do not develop a deeper understanding of this data and how they can optimize it to make better security decisions expose themselves to greater risk.
The challenge is acquiring the toolsets to manage, manipulate, and coordinate this data to inform the type of cybersecurity mission properly. Manual processes of managing data are too cumbersome and unable to match the rate at which data is received. In response, technologies such as artificial intelligence (AI) and machine learning (ML), as well as tools like data pipelining or cleaning, will be essential to ensuring this data can be managed efficiently. On the backend, data lakes that can provide the storage and compute power to analyze the data in near real time are essential to enabling the cybersecurity mission.
Enabling a crossover between data scientists and cybersecurity analysts
While having the right tools to manage today’s influx of data is crucial, cybersecurity teams must also have the right skills to carefully comb through and classify this data. This means organizations need to coordinate the insights of both data scientists and cybersecurity analysts. Unfortunately, there has traditionally been a split between data scientist and cybersecurity analyst roles. Data scientists are more focused on making data usable and available to analysts through data cleaning and prep, manipulation, and normalization. Meanwhile, cybersecurity analysts are more concerned with looking for patterns and anomalies and how they inform their missions.
There needs to be more recognition of the crossover between these roles and how merging these skill sets can enhance a cybersecurity program. For example, data analysts can recognize when data is formatted incorrectly or has changed from a previous version. Data scientists may not be able to identify these inconsistencies because they are not actively using this data. However, they can provide more direction into how analysts can take advantage of specific data to make their jobs easier. And data scientists and cybersecurity analysts need to work together and adopt each other’s perspectives so they can better analyze and integrate multiple datasets efficiently. This will ensure the best data is available for making cybersecurity decisions.
Security teams must redefine how they source, view, manage, and analyze the massive amounts of data now available to them. This will better enable them to fully identify the potential of data to inform cybersecurity decision-making and will enable defenders to do their jobs more efficiently and effectively, strengthening overall organizational resilience.
