Download to read offline
Uploaded byRaffael Marty
How To Drive Value with Security Data
The document discusses strategies for leveraging security data to drive value, emphasizing the importance of analytics, incident management, and compliance. It highlights the evolution of logging technologies and the need for risk-centric approaches in the context of cloud and distributed analytics. Key concepts include the integration of AI/ML for anomaly detection and the future direction of security data management.
More Related Content
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
How To Drive Value with Security Data
- 1. Raffael Marty How ToDrive Value with Security Data June 2021 ThinkIn 2021
- 2. 1980 Log Collection (syslog) Sharing “searches” Forensics Reporting Log Management 20062009 1999 2004 2012 2015 2017 Security Data Lake Apache Metron ELK Open Source 2021 Incident Management SIEM Compliance Use-Cases Real-time Correlation Artificial Intelligence Attempt in Visual Analytics Anomaly Detection Heavy filtering Data on demand Threat Hunting Risk centricity Federated Analytics? Analytics Asset Mgmt Cloud Analytics ©2021RaffaelMarty Security Data Lakehouse? • Network (FW, flows) • Vulnerability • Endpoint • Threat Intel • IaaS logs • System Event Logs • IAM • PCAP Data • SaaS logs • Metrics • API • “Data” Activity Security Data–ThePast Big Data (Hadoop, Spark) Logging as a Service (Loggly) CEF SOAR UEBA The Logging Wild West XDR Metrics Correlation DevSecOps Use-Cases
- 3. Logging andSecurity AnalyticsToday FalesPositives Use-Cases Data Inputs Scalability Challenges Trends DataCentricity Risk Centric I/SaaSVisibility Distributed Analytics Beyond Events/Alerts Shared Frameworks Movetothe Cloud Entity Focus
- 4. Tomorrow - HowTo Drive Value From Your Security Data Become Risk Centric Risk Service Resource Access User Device App Data Anomaly Belief Net Security “Knowledge” Entity Engines Expert
- 5. SIEM– Future Aspects AI/ ML Visibility Automation Cloud Privacy
- 6. Takeaways Analytics (Logic) Unified Platform:SIEM | UEBA | SOAR | XDR | TIP | CCM Visibility Zero Trust / Risk Outsource Inventory Activity Use-Case Driven Open Standards
- 7.
Editor's Notes
- #4 Challenges – these are things you want to be aware of when you invest in any data capability – or assess your own Use-Cases - Focus on the wrong use-cases - Email is still prevalent vector for attacks, not vulnerabilities - Not having a use-case driven approach at all - Sharing use-cases is still non existent – Sigma - SOCs are building use-cases for the data they have instead of for the things they want to detect Scalability Running many rules Collecting all data (expensive) Collecting all data Correct data architecture Trying to do it ourselves, rather than outsourcing – can you get the right people? Why does everyone re-invent their processes? Cloud helps, but it still expensive SOCs are running an average of 30 tools! Data - Visibility gaps (email and humans) – how is it that we buy phishing solutions and do not understand our email communication patterns better? - Understanding data and knowing what to do with it (remediation) – alerts are not indicative of whether a system / user is under duress - Application visibility and understanding – SaaS applications anyone? - Beyond alerts : inventory as well – CSPM, … AND metrics collection as well False Positives - A threat / exploit / vulnerability centric view makes event prioritization challenging - We are still operating on an event level instead of an entity (user, device) level - We are prioritizing all events / alerts that our data sources send us … Beyond events/alerts - CSPM / configuration / asset information Shared Frameworks - ATT&CK -> I think that’s a bad trend – it’s not really covering the right set of detections and is not enough prescriptive for your use-cases! - Sigma -> is an okay start, but very very limited still to date and hasn’t been shown to really produce good thorough detections Move to the Cloud - Not solving all our problems, in fact, introducing new problems – governance, … - Let’s be clear, your SIEM will run in the cloud Insider Focus - Monitoring the users and understanding them – away from the latest vulnerability / … because even an external attack will show a change in the user’s behavior
- #5 Rethink what we really want from SIEM / security data analytics -> Some call that XDR now Data Inventory Classification Movement App Posture Activity SaaS Cloud posture Device Asset Info Posture (Vuln, Patch, Config) User HR Identity Access Priv’s. Activity / Behavior Personality Anomaly - To self and to peers Interaction with critical data Gets you out of the cat and mouse game – yet another attack type (ransomware today, phishing tomorrow, etc.)
- #6 AI and ML to the rescue – or not We will get better at anomaly detection from a behavioral standpoint, but not through supervised ML! Expert systems We will keep using ML (supervised) for malware detection, document classification, and basically all kinds of pattern matching Let AI help automate machine-enabling tasks – and visualize more Verifyability and explainability of approaches That’s IT, folks! Cloud We are moving to the cloud. Period. Your SIEM too. How do you monitor on-prem in that case? Visibility - Challenges to see and understand it all? What are all the assets in your environment right now? How do you track them? What are they? What are their risks? - What about all your users? - Across on-prem and cloud / SaaS / … Automation - built into products and not separate as SOAR - beyond the simple ‘augmentation’ use-cases – phishing playbook – remediate across your risk engine … - we need to push toward remediation. Why do we still need security analysts making decisions? Why can’t we learn from past activity? Privacy - Needs to be designed with ‘privacy first’ (only collect what you need, in a secure manner) Securing collected data - Anonymization? Nuances of regional regulations (GDPR, CCPA, etc.) Where are the socio-ethical boundaries?
- #7 SIEM visibility has been focused on network – it’s time to get endpoint and cloud visibility. AND DATA – including SaaS The risk-based approach will help you not just defend from external attacks, but also monitor your insiders. They are becoming more of a problem! Sharing – from TI to TTPs / analytics sharing
- #8 http://slideshare.net/zrlram @raffaelmarty