82% of breaches should be stopped by existing controls, so what’s missing from your Security Data strategy?
When you think of simpler times, what do you think about? Perhaps an era before TikTok and Instagram, when it was Polaroids and disposable cameras? When cell phones were rare and landlines were common?
Those simpler times are nostalgic.
Even for your SecOps teams, who perhaps remember the simpler times of business operations too. The time when there were only a handful of on-premise servers connected to PCs, easy network configurations, and a limited number of network hosts.
As the world of technology continues to evolve before our eyes, so do the security risks.
Now, we have tablets, desktops, laptops, and mobiles. We work from home, a cafe, a bar, in an office, or all of the above. Each of these technological advancements and workplace changes leads to new endpoints and vulnerabilities susceptible to threats like:
- Phishing attacks
- Advanced persistent threats
With an increasing number of endpoints and advanced threats, comes a surge in the volume of security data collected by your SecOps team.
According to a recent survey conducted by ESG, 87% of respondents said they collect security data to support operations today than they did even just two years ago in order to manage risks connected to their network.
Types of Security Data Organizations Must Analyze
Collecting security data diligently, carefully, and strategically is critical for any organization's overall security strategy, and requires your SecOps team to identify potential areas of risk, like vulnerable endpoints, or gaps in BYOD policies based on analysis of security data like:
- Network activity
- Device utilization
- Security data from endpoints
- Network packet capture data
- Log data from security devices
- Malware sandbox
- Asset management tools
- Public cloud logs and/or network taps
- Log data from identity and access management systems
- Vulnerability management systems or scanners
- Threat intelligence feeds
By continuously deploying threat monitoring tactics across network activity, observing gaps in existing technology policies, and automating patches, your SecOps teams strive to avoid downtime and prevent serious security issues that would disrupt operations.
The Primary Security Data Objectives for Organizations
While the world of technology may be growing more complex, simplifying security in the wake of increased security data volume and analysis (and an overwhelming number of security alerts that need to be triaged, prioritized, investigated, and acted upon) is essential. This includes the ability for SecOps teams to add context to data, triage events in a sophisticated way, and cut through the noise of false positives to get to the issues that are most critical.
These challenges act as fodder for the top 3 security operation objectives for organizations in 2023: data enrichment, operationalizing MITRE ATT&CK framework, and developing new detection rules.
Investing in Data Enrichment
For most organizations, it’s less about the ability to detect risks, and more about not being able to wade through all of the false positives to find the true threats. There is too much smoke in the air, and it takes too long to add context to alerts to find the real fires.
Without automated security data enrichment capabilities, analysts are bogged down with research to stitch together a full picture of an alert which can include investigating several systems and data sources, like:
- IAM systems
- ERP systems
- Active Directory
- Individual employee data
- Social media profiles
- Chat records
Oftentimes, it can take days, or even weeks to transform this raw data into meaningful insights, which is too long when your company’s data and infrastructure may be at risk.
For that reason, SecOps teams say data enrichment is the top priority for them, with 46% of security professionals stating in the next 12-24 months, a primary objective is to improve the ability to combine and enrich multiple security data sources and tools to provide more context around security events.
Enriched data allows a SIEM to better perform threat detection, threat hunting, and incident response.
Operationalize the MITRE ATT&CK Framework
Do you have confidence in your security controls? When implementing detection and threat response, do you do it manually or programmatically? Can you do it continuously? What is your scope? Where are your control gaps?
Are we stressing you out yet?
According to Verizon’s data breach investigations report, 82% of breaches should have been stopped with existing controls. The modern SOC lives in a dynamic environment that changes often. And even a single update can create gaps in your security strategy. Without flexible detections, tailored to your needs, your security controls may fail.
For example, ESG reports that nearly half (46%) of security professionals store and analyze their security data in the public cloud, with levels of data prime for analysis set to rise in the coming years. If an adversary, for example, deploys a new technique, tactic or sub-tactics for stealing S3 information, do you have a process in place to map threat actors or behavior quickly?
These questions keep 42% of security professionals awake at night, noting that operationalizing the MITRE ATT&CK framework and aligning threat prevention, detection, and response processes and technologies with the tactic and techniques is a key initiative for them in the next 12-24 months.
By operationalizing the MITRE ATT&CK, you can more easily:
- Find and research adversary behaviors
- Translate behaviors into tactics
- Determine which adversary techniques apply to behaviors
- Test technique against your environment
- Analyze detection and prevention
- Make improvements to the control
Organizations that make threat intelligence digestible by integrating it with SIEMs and other tools within their security stack, and then overlaying MITRE ATT&CK tactics, techniques, and procedures (TTPs) on operational workflows will improve the quality, structure, and consistency of security operations.
Create New Detection Rules
Detections are everywhere - from Google to GitHub to HackerNews, to online forums. But the problem is, every organization is different. And, “one-size-fits-all” doesn’t work for most SOCs.
That’s why 42% of security professionals are placing emphasis on creating new detections and tuning existing detection rules and technologies to improve the mean time to detect and respond during security incidents.
We think it’s time that SOC platforms recognized this and delivered detections that security teams can easily edit on their own so they can handle potential threats proactively, rather than reactively.
Prioritize and Use Your Security Data Effectively
The Anvilogic platform helps accelerate critical threat detection based on an organization‘s data sources and a predefined assessment unique to your business needs and threat landscape.
Using the data and information unique to each environment, threat landscape, and priority can help to determine data needs, data types, normalization, recommendations, and more to show what is missing. Anvilogic makes it easier for security practitioners to confidently improve their security data strategy.
With AI-driven threat detection, Anvilogic consolidates and normalizes data from multiple sources and MSSPs into a single, integrated workspace. Then, Anvilogic creates a security maturity score that empowers you to:
- Manage your MITRE ATT&CK priorities
- Assess and improve your data quality
- Evaluate and enhance your detection coverage
- Track key metrics automatically
- Gain visibility into SOC improvements
Guide your security team through the backlog noise with recommended next steps and alert them to new, credible threats in the ever-changing cybersecurity landscape.
The drag-and-drop detection engineering and deployment capabilities, built with out-of-the-box security content, a growing collection of over 1,000 ready-to-deploy detection rules including trending topics, threat research, and intelligence aligned to the MITRE ATT&CK framework, eliminates noise and increases efficiency and efficacy across your security analytics.
Read more in the latest report ESG Report: Trends in Modern Security Operations