Gabrielle is a security engineer. She deploys tools to scan for threats and vulnerabilities, read logs, and manage the security risks for her company, but is all that data really helping? Sometimes, it seems like she works in a noise factory instead of a SOC. The cacophony of all the log and event data and vulnerability scans are pouring into the SIEM, and it’s Gabrielle’s job to listen to the symphony of data and find the out-of-tune notes. All she hears, however, is the sound of a thousand grade-school bands warming up their instruments. Is there some way to get that data in tune so it produces a harmony and a melody and not a din of ones and zeroes?
As the conductor of this symphony, Gabrielle’s challenge is to get all the instruments playing the same song, in tune, at the right tempo and volume. To accomplish this feat, she will need to first decide what song she wants them to play, what impact she is trying to make, and how that fits into the overall concert. Once she understands what she wants to do, she then has a strategy for creating beautiful music.
Choosing the Song – What Do You Need to Communicate?
The first choice Gabrielle needs to make is to determine what she is trying to communicate with all this security data.
Is this data being used for threat hunting? Is it measuring a vulnerability management program? Perhaps she wants to identify the riskiest parts of the attack surface? Knowing what questions she wants to answer and outcomes she is trying to achieve will help narrow the set of data as well as how that data is going to be used. As the conductor, she now knows which instruments she needs, the key they need to play in, and the story she is trying to tell.
To make this more concrete, a collection of data with no clear plan for how to use it only makes the security analyst’s job harder. There may be reactive forensic value, but it’s better to be proactive and know what your data is able to communicate and craft visualizations that quickly tell that story (or play that song, in Gabrielle’s case). There are two areas of exploration that can help you choose that song:
- What can the dataset tell me about?
- What do I want to know about within this context?
There was a reason a monitor or scanner was put in place, and a required set of data was gathered. Knowing the set of data can then guide what questions can be answered with that data set. For instance, vulnerability scans have dates, targets, CVEs, and severities. One may want to focus on trends over time, specific target patterns, or high-severity clusters. Knowing what question you want answered now informs what song you choose to play.
Choosing the Impact – What Do You Want to Do?
The impact of noise is to tune it out. If Gabrielle wants to turn that din into a song that she wants to listen to, she’ll need to decide what impact she wants to make. In other words, has she created something useful or just interesting? Interesting data makes for good conversation during a coffee break, but useful data can be used to make decisions and drive action. The impact needs to drive the security program forward, informing the overall strategy and leading to tactical choices for how to proceed.
In a security context, knowing there has been an increase in reported vulnerabilities on an endpoint is interesting, but understanding what caused that increase and acting on it is useful. A rich dataset should be able to be distilled down to a picture guiding the user to the next step. What happened? When did it happen? What do we need to do about it? Is it an anomaly or a trend? In the vulnerability example, a zero-day may have come out, or perhaps a new server was rolled out and wasn’t properly configured.
In understanding and choosing what impact you want your data to make, you’ve gone beyond deciding what you want to know; you now have the tools to know what you want to do.
Creating the Set – What is Your Strategy?
Now that Gabrielle is on her way to her new hit single, it’s time to think about the rest of the set. A good performer knows that a concert isn’t just a random set of tunes but a collection of songs that takes the audience on an emotional journey. In the same way, all that data pouring into your SIEM needs to work in concert to support your overall security strategy. With so much information, it’s important to know what is in, what is out, what needs to be known right now, and what can wait. Your security strategy needs to address the risks most salient to your business. Tuning out the noise and putting together a collection of information that tells the overall story you need to tell means you can focus on the connections and interactions that will best support and accelerate your security efforts.
Just as each individual song or report needs to be useful and not just interesting, the entire collection needs to be useful. Honing each report informs tactical execution, and zooming out to present the overall picture provides the view to guide and tune the entire strategy.
Battle of the Bands – Tool Sprawl vs. Consolidation
Once the music is in tune, additional strategic considerations come into play. The current state of the security market is like a battle of the bands, each very good at their own genre but not always playing well together. You may need to go to one venue to hear jazz, another for rock, and still another for classical. If this sounds like moving from your vulnerability management dashboard to your endpoint protection report and then over to another platform to see how your phishing campaign is going, you’re not alone. It’s a common challenge.
One option is to put all your favorite genres in a streaming playlist and hit play. This may work to consolidate your content, but the overall effect may be jarring and the story disjointed. This option solves the problem of going to multiple places to get what you need but doesn’t necessarily put them together in a cohesive way.
Another option is to sacrifice some depth for breadth. Finding a band that can play multiple genres and blend them seamlessly may provide what you need while giving up some specialization. This approach can save cost on the tool side and add consistency of data and interfaces. Vendor consolidation can also be an attractive benefit, particularly if the tools play well together, provide a normalized data set, and help you accomplish your security strategy.
From Noise Maker to Rock Star
As Gabrielle took all the noise coming into her SOC and crafted it into a concert, she turned the noise factory into a music hall. She saw the digital chaos coming in and knew what she wanted to communicate, so she turned down the volume on what wasn’t needed and focused on what she wanted to know. Once she knew what she wanted to learn, she needed to know what to do. Further refining the dataset, she tuned it to the specific actions she wanted to take and the decisions she needed to make. Repeating this process, she created an overall picture to guide her strategy, moving from a detailed focus to an aggregate view. This last step helped guide the overall direction and provide course corrections when the data showed the strategy was off track.
Data is a valuable tool for a security team, but it’s not enough to collect large amounts of it. Turning that data into actionable information turns your noise factory into a concert venue and you from a noisemaker into a rock star.