What’s time worth to a security pro? We often ask ourselves this question when wrestling with taking on new projects, overhauling our calendars or making hard prioritization decisions. Time becomes an especially precious currency in security, across two dimensions: speed and history. We have spent a great deal of effort on speed over the past few years by accelerating response through automation against known or common threats so we can free up our analyst time to focus on higher severity threats and more advanced attackers. While those efforts are never truly finished, we have certainly reaped rewards.
Increasingly, we see organizations focusing on the other dimension of time: history. As attackers have evaded defenses and flown under the radar of detection technologies, defenders turn to threat hunting and in-house analytics initiatives (or worse, external notification of a successful attack) to find adversaries. Regardless of how we find them, we are faced with the same question: What happened then? Of course, “then” could have been weeks, months, or economic quarters ago. How do we know? Where else did it happen? Do we have data for that slice of time? Do we have the right data? In many cases today, we unfortunately answer: “I don’t know” because the alerts and other event logs we keep cannot help us look back in time to what we didn’t know then. This drive to answer “what happened then” leads organizations to a focus on data centric security, which requires changes at both the executive and operational levels.
At the executive level, many CISOs track “coverage” as an important operating metric. They do this because coverage exists as a risk assessment against the remainder of their metrics (such as block rates, detection rates, and response times). For example, if we have 60% coverage, then we shouldn’t expect to find 90% of attacks! That coverage metric normally breaks down by domain (endpoint, network, authentication) and/or line of business, but in the end many organizations are actually only measuring environment coverage, which leaves us unintentionally blind to time coverage. Changing our view on that metric helps us ask the right questions at the executive level, not only about how much visibility we need over time, but how to balance the cost of that coverage with the efficacy and impact it delivers.
We measure time not only so analysts have the data to look back in time for their analysis, but so we can increase our ability to prove our conclusions. Are we sure we understand the path the attack took through the environment? Have we fully contained the attack? Most important, can we demonstrate the extent/limit of damage for appropriate disclosure at the board and customer level? How do we know? The difference between “I think” and “I am confident,” after reviews with legal teams and executive staff, can change the breach disclosure dialogue from “minor event” to “mission impacting” or “stock price impacting.”
At the operational level, answering “what happened then” means treating data as a first-class citizen within the SOC. The data needed for investigating advanced attacks that might have begun months ago need to have a few key characteristics:
- Compact: Companies can’t keep quarters (or years) of data if they need petabytes of storage.
- Richly detailed: The depth and insight that analysts need to drive effective investigations.
- Judgment free: We need ground truth, not just a historical stockpile of alerts, as we will be looking for what we didn’t know about at the time.
Fortunately, this operational focus on high quality data as a first class citizen also benefits speed. The right data accelerates incident response, regardless of whether done manually, with playbooks or through full automation. For this reason, organizations that adopt a data-centric approach to security start collecting that data now, get both these short term benefits as well as readiness for advanced adversaries.
We value our time professionally, and even more so in security. Let’s give time the focus it deserves, by elevating it in our executive tracking and improving the data our teams need to get visibility through time. Adopting this data-centric security stance will pay benefits both today and tomorrow – or should we say yesterday?
Brian Dye, chief executive officer, Corelight