EMA Blog Community

In my last post, the first in this series, I talked about how recent vendor trends highlight the rise of data-driven tactics for defense. This is just one of three major aspects of data-driven security becoming more prominent in products and services. To recap, those three aspects are:

• Data-driven tactics which differ from legacy security technologies in part by their focus on a more continuous, dynamic dependence on data sources.
• Data-driven platforms for security management and strategy guidance that may be expected to expand techniques for yielding more effective insight from large amounts of many different kinds of data.
• Data sources to serve these interests, which can be expected to grow in their variety, as well as in the variety of ways they are made available as offerings in their own right.

The increased interest in data-driven security has created opportunity for a wide range of data sources—and these sources are becoming increasingly ripe for exposure as data services of value in and of themselves. Some examples:

Internal monitoring and forensic data: This, of course, is the data most commonly used in most organizations. Despite this fact, an astounding number of organizations do not make the most effective use of the information they already collect – not least because security and operations management tools can generate enormous amounts of data. This suggests the growing need for techniques such as those well established in Business Intelligence and data mining to improve the usability of this information. It also suggests the value of modern forensic tools in proactively building a more effective security posture, rather than being used in a strictly reactive manner after an incident. (More about this in the upcoming post on data-driven strategy and management platforms.)

External intelligence today assumes a number of forms, from data specific to information security, to intelligence services more often associated with counterterrorism or espionage. Threat and vulnerability research data and fraud intelligence are regularly consulted by many enterprises and widely used in security tools today. Regardless, organizations would benefit greatly from making this information more actionable in determining priorities for risk mitigation – particularly when managing IT risk at scale.

Outcome data is something of a paradox, since it clearly illustrates where security succeeds and where it fails – yet its adoption is mixed. Internally, it seems that organizations still have much to learn about the values of field-assessed security and folding the outcomes of assessment into security management. Among external resources, however, outcome data has become one of the most visible sources of information for understanding common risk factors and determining management priorities. The publication of data security breaches first mandated by regulations such as California’s breach disclosure law in the mid-2000’s quickly turned a spotlight on cases where security breaches had resulted in the compromise of thousands—and in some instances, millions—of personal records. In the years since, the series of reports published by Verizon on its investigations into actual breach cases, as well as organizations such as the Privacy Rights Clearinghouse and the Open Security Foundation’s DataLossDB, have had a significant impact on the way security strategists view the measurement of effectiveness. The advantage of this data is that it highlights “real world” factors in actual breach cases, rather than potential or theoretical risks, or just inputs alone. Exposing this data to analysis gives organizations access to detailed information regarding the specifics of breach events. This enables enterprises to correlate their own performance in areas where gaps had a direct or indirect affect on breach success among similar organizations.

Security Metrics: The measurement of security outcomes is just one aspect of the larger interest in the measurement of security that has grown substantially in the last few years. Spurred in part by seminal publications such as Andrew Jaquith’s Security Metrics: Replacing Fear, Uncertainty and Doubt that illustrate how meaningful security metrics can be defined, gathered and used, IT security and risk professionals are more aware than ever before of ways in which IT and information security and risk management can be measured. Organizations such as the Center for Internet Security have responded to this interest with sets of metrics and benchmarks that strategists can use to compare their priorities and practices against other organizations or a consensus of security professionals.

Reference data provides a baseline against which aspects of security can be measured. File integrity monitoring, for example, collects evidence of a “known good” state against which deviations can be identified. Application whitelist inventories, meanwhile, can be used to differentiate recognized or widely adopted software from malware, which can improve the responsiveness of defense or the efficiency of forensic triage. Reference data could go much farther, however. IT asset inventories, next-generation IT asset management (ITAM) and configuration management systems (CMDB/CMS), for example, could play a much greater role in correlating risk factors with information assets of all kinds. As with file integrity monitoring, this suggests a greater role for the tools and techniques of IT Service Management (ITSM).

Beyond these examples are a number of data resources in areas beyond traditional realms of IT security. Geolocation, for example, provides physical correlation to threat sources, while search offers a virtually limitless wealth of information (as practitioners of tactics such as Google hacking are well aware).

Less known may be the wealth of information to be found in structured data sources beyond traditional realms of IT security. These sources may, however, provide as yet unsuspected benefits in security management, once their value is realized by the security community.

This is why I’m very interested in the emergence of data markets such as Microsoft’s Windows Azure Marketplace DataMarket (perhaps better known as the former Codename Dallas project). Other examples of services that blend data insight with multiple data sources include the Entrez cross-database search engine for life sciences and healthcare data.

Data markets could inspire security professionals to probe the ways in which previously unsuspected resources could be called upon to enrich data-driven security management. These markets could also become outlets for a range of security-relevant data sources, enabling “one stop shopping” for a variety of sources, perhaps coupled with tools for their integration in data management and analysis architectures. The Windows Azure Marketplace DataMarket, for example, offers an Excel add-in to make its services more directly actionable for desktop analysis. Already, organizations such as Team Cymru consolidate a number of security-relevant data sources in their offerings – but the rise of data markets could significantly expand their availability.

Here again, hosted services and service providers may have an advantage in their ability to offer data sources as well as data-driven security tactics – but, as data markets suggest, so too may outlets beyond traditional realms of IT security, where a much wider range of data sources may be found.

Of course, to be useful, these data sources must be consumable. Data-driven tactics suggest how they may be put to work directly in defense – but when it comes to the management of risk and the guidance of strategy, organizations need ways to wring meaning from the wealth of data available today. Not only do these sources offer large amounts of data that must be handled effectively, they also represent a wide variety of data types that must somehow be rationalized in order to be useful.

These factors will be the topic of the next post in this series. Stay tuned!