How many of the threats flagged by security vendors are actually false positives? Which software teams introduce the most vulnerabilities into the company’s production environment? How quickly does the remediation team roll out critical patches — and how does that vary across different clouds?
Insights like these help security leaders drive accountability — something that’s been in short supply in the security industry. However, most CISOs lack the information to hold vendors, teams, and processes accountable because that information gets spread across different systems and tools that fail to deliver a unified view of what’s happening. In addition, these tools don’t retain data long enough to reveal meaningful patterns and insights.
In response to these and other challenges, security data lakes have emerged as an architecture that lets security leaders, for the first time, consolidate security data regardless of quantity and variety, making it possible to drive real accountability across their organization. Security data lakes help to achieve this in two ways by letting IT teams do the following:
- Separate storage from compute, which makes it cost-effective to store security data at scale and for longer periods.
- Make security data part of a company’s general-purpose analytics platform, which allows for additional context and delivering insights via standard reporting tools.
CISOs employing security data lakes should think about accountability, a powerful way to improve their overall security posture. Here are three examples of how security data lakes help CISOs and other security leaders drive accountability:
Evaluate vendors with cold, hard data
Most companies select and evaluate security vendors based on simple criteria, like whether they support certain data sources and applications. A lack of information keeps decision makers from evaluating vendors on more meaningful factors like threat detection performance or vulnerability prioritization accuracy.
Click for more special coverage
Security data lakes let teams identify gaps between the insights vendors provide and what an organization actually experiences. Analyzing data from a ticketing system, for instance, lets the team see how many threats detected by a vendor were false positives, or how many vulnerability findings are irrelevant.
A security product may work great in one company’s environment, but less well at another firm. If the team can measure performance across the metrics that matter to the company, it can work with the vendor to help them improve — or determine that the company needs a better tool.
Illuminate flawed processes
If remediation teams don’t address vulnerabilities quickly enough on a consistent basis, access to historical data helps to uncover those problems and identify processes that may need updating to help them work more effectively. Maybe the team needs to adjust workflows, for example, or it needs to restructure so it can meet its SLAs.
A security data lake lets the organization apply context at query time from non-security sources. For example, the team can combine termination data provided by HR with security access policies to flag when an employee has an active user ID after they’ve left the company. It’s also possible to correlate data about awareness trainings, phishing exercises, and actual malware cases to show how departments that don’t complete trainings are at greater risk of compromise.
Leave no team behind
When teams are shipping new components into the infrastructure, a security data lake can help track where vulnerabilities are consistently coming from the same groups — whether that’s developers, SREs, or some other entity. This kind of insight is difficult to achieve when data gets spread across multiple tools and stored for short periods of time. With quantified metrics backed by data, security teams can fulfill their role in a shared responsibility model.
Accountability does not mean managers have to name and shame individuals, which can drive down morale. Rather, it should help teams to do their jobs better and raise the overall security profile of the organization. CISOs are dealing with increasingly complex threats and being held to higher standards by boards, regulators, and customers. Let driving accountability become a helpful way to succeed as a team.
Omer Singer, head of cybersecurity strategy, Snowflake