To solve the big data challenge in security, prioritized data flow, continuous data processing for analysis, and translation and exporting of data are all required to form an unified security architecture.
When someone claims security is a big data problem, they’re usually talking about the massive quantity of internal threat and event data generated by logs, SIEM, ticketing, and case management systems. Many security professionals suffer from alert fatigue as a result of the volume of alerts generated by various sources. The millions of external threat data points analysts receive every day from the various sources they subscribe to –open source, commercial, industry, government, security vendors as well as frameworks like MITRE ATT&CK – add to the fatigue.
And the situation is deteriorating. Bad actors take advantage of new attack vectors as business models change, such as IoT devices, operational technology (OT), and the various personal and professional devices individuals now switch between. They also use human vulnerabilities to penetrate organizations, impersonating trusted co-workers and third parties. In an attempt to fix security gaps, layering more solutions and subscribing to more feeds generates new sorts and formats of data to be collected in massive volumes.
Data ingestion and export
Data ingestion, however, is only one aspect of the big data dilemma. The data export side is the other aspect. This element has received less attention because most people don’t think about how data from a feed or solution interacts with their existing systems and procedures. Security professionals, for example, want a threat data feed to assist them in understanding how cybercriminals work and what to look for in their environment, but how will they use it? If they feed threat data directly into a SIEM, they will get a lot of false positives.
Another instance is the use of Security Orchestration, Automation, and Reaction (SOAR) platforms and technologies to automate procedures and speed up response times. However, security experts cannot solely concentrate on establishing a process and automating the actions required to execute it.
They should also ensure that the criteria and triggers involved in the processes are correct. In a dynamic environment, they should always ensure that they have the proper data to focus on what matters most to their business, as well as the right processes to take the right decisions, faster. Moving to a data-driven approach that prioritizes data and integrates systems with that data from a process-driven one is critical to truly addressing SOAR use cases.
Extended Detection and Response (XDR), the newest addition to the security arsenal, is gaining traction as a tool to enable detection and response across the organization. XDR necessitates the collaboration of all tools and teams, but the difficulty is that most enterprises protect themselves with a variety of security technologies from various vendors, both in the cloud and on-premises. Not to mention the third-party data and intelligence sources they use to provide context. Silos can make it difficult to transmit data between tools or teams in any meaningful way, resulting in an obstacle course for the attacker. An open and extensible design centred on enabling integration and data flow across the infrastructure for detection, response and prevention is promoted by the open XDR movement.
The big data problem
Big data is a concern that security teams are dealing with. They need a data-driven strategy to security operations to solve this big data dilemma. They can generate a meaningful, continuous, and useable data flow by using a platform that can get data in diverse formats and languages from different systems, vendors and sources to operate together.
- The pipeline begins with data input, normalization, and correlation in order to detect relationships and add context to the data.
- The data must then be prioritized, in an automated way, to eliminate noise and allow security professionals to focus on the most important aspects of their company.
- The data can now be used to make decisions. To do so, the data must be converted into a format and language that can be used by the tools and people that need to use it.
Big data security is a concern. To solve it, prioritized data flow, continuous data processing for analysis, and translation and exporting of data are all required to form a single security infrastructure. The only way to truly address security gaps with an integrated defence, rather than just creating another obstacle course for attackers, is to take a data-driven approach to security operations.
For more such updates follow us on Google News ITsecuritywire News.