Build your security defense on data, not guesswork

Stop obsessing about the latest overhyped security threats. Delve into your own data about successful attacks on your organization first—and defend accordingly

Build your security defense on data, not guesswork

One of the biggest problems with security defenses is the lack of concrete data to measure the effectiveness of mitigations against threats. In almost any other industry, the dearth of data would be embarrassing.

As I’ve noted before, every organization needs to develop a data-driven security defense. Such a defense uses a company’s own threat intelligence to align mitigations with the most relevant threats a company faces. The idea is to prioritize your own local threat experiences over outside data sets, focusing on root-cause analysis and using that data to drive all deployed mitigations.

Unfortunately, most security mitigations turn out to be responses to a single crisis event or derive from the “gut feelings” of someone in charge. By averting our eyes from the relevant data, we often implement mitigations that are not only useless, but hurtful.

Microsoft security researcher Cormac Herley has made a big impact on the computer security world by using data to challenge the status quo. He has proven that the world’s traditional password advice—to use long and complex passwords that frequently change—is probably counterproductive. But my favorite Herley title is “Why You’re Right to Suspect Most Security Advice Is a Waste of Time.”

I can relate. I’m constantly asked to do things based on zero data—not an unusual circumstance. This is starting to change, however, thanks to security data analytics. More and more companies and products are built around the concept of collecting a company’s own data to deliver threat intelligence and protection.

I predict that within 10 years, nearly every computer security mitigation decision will have to be backed by data. We “early pioneers” will whine to the security youngsters about how “in our day we only had only our guts to rely on.” The youngsters will laugh at our naivete.

How to get there from here

Most companies have very little relevant computer security data about their own organizations. Or rather they have it—but they don’t collect it (or they collect it and fail to use it intelligently). How does the average company go from very little data intelligence to a data-driven defense?

First, you need to determine what your current state is today. Map out your computer security teams, what do they do, and who is on them. Then define their data collection sources, outputs, databases, and reports. For the data itself, you want to get down to field-level detail. Let this define the big picture of your current security data state.

Figure out what questions need to be answered

Next, ask your different computer security teams to define the challenges they face and to define what questions, if answered, would help them execute a better defense. This is a brainstorming time, during which no ideas should be shut down. Get the discussion going by giving some examples. Here are some of the conversation starters I commonly use:

  • What’s the most common method used by malware to exploit a device in our company?
  • Are certain OS or software configurations and versions more susceptible to exploitation than other ones?
  • What is the most exploited software in our company?
  • What group policy settings would be the most helpful if we enforced them?
  • What software bug causes the most vulnerability exploitations?
  • How long is the average malware program running on our computers before antimalware software detects it?
  • How many admins do we have in our environment?
  • What are your firewall policies and how are they enforced?
  • Are certain departments or people successfully exploited the most?
  • What percentage of our people can be tricked by phishing emails?
  • What percentage of our applications would work with two-factor authentication?

Based on your discussion, determine the main security goals for your company. Put all the questions up for review and ask the group to rank them in order, placing those you anticipate would deliver the biggest bang for the buck at the top.

Gap analysis

After you’ve developed that hierarchy, determine how far your current state is from your ideal state. Figure out what data you already have, what you have that needs to be moved or improved, and what type of data the company would be highly unlikely to ever have.

On the latter point: Too many longtime security professionals are ready to declare nearly every question unanswerable. Be understanding with us old folks—our gut experience is a tough habit to break. As the saying goes: “When a young person says something can be done, it can surely be done. When an old person says the same thing can’t be done, usually he is mistaken.”

Close the gaps

Finally, using the lessons you’ve learned, close the critical gaps. Focus on your top three questions, which, if answered, would provide the most value. Sometimes getting the data means changing processes, and sometimes it means creating or buying new tools and services.

Whether you know it or not, we’re at the dawn of a new era in security data analytics. Solutions abound that can deliver the most relevant data possible. Take advantage of them. Do research. Call companies. Get demos. Test them out. The only thing you shouldn’t do is keep doing the same things that keep not working.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)