Outpace Threats with Data-Driven Cybersecurity

Perspectives

Outpace Threats with Data-Driven Cybersecurity

Automate and accelerate insights and operations

Every day, new innovative cyber threats stealthily target federal networks and critical infrastructure. At great cost, defenders have deployed scores of complex cybersecurity tools that emit and absorb data on a mind-boggling scale. Now, untamed terabytes of disparate data fatigue security analysts with false alarms鈥攁nd multimillion-dollar annual data storage costs make it hard for agencies to retain data for the long term. To get ahead of the threats, organizations must stop drowning in their own data and start collecting, managing, and using all this information to full advantage.听

Federal Civilian Executive Branch (FCEB) agencies have millions of endpoints鈥攁nd since tooling for detecting and responding to threats often exceeds minimum requirements, the total data volume could top 125 terabytes per day. Dealing with such vast and varied data demands a new approach鈥攄ata-driven cybersecurity. This goes well beyond deploying controls, dealing with indicators of compromise, and heeding recent聽聽on advanced data-logging requirements. Organizations must also link datasets of many kinds to detect patterns of malicious behavior. In this way, they can better anticipate, prevent, detect, and respond to emerging threats.听

Today, many security teams can鈥檛 make the most of their data and hence can鈥檛 deliver value for the entire organization. Teams are forced to choose which data to collect when technology advancements and security budgets are out of sync. And that means agencies and critical infrastructure entities are losing ground to worsening digital threats鈥攂ecause they aren鈥檛 using data as an asset.听

Data can be a superweapon to achieve strategic priorities and safeguard critical missions with advanced cyber defenses. But that requires novel ways of sharing information鈥攁nd enabling collective thinking鈥攖o distill actionable insights. And that means focusing more on data analytics, artificial intelligence (AI), and machine learning (ML). In a recent 蘑菇视频 Allen-commissioned survey of 175 individuals involved in the development, analysis, and review of U.S. cybersecurity practices and policies, more than half of respondents rated cyber data analytics (63%) and cyber-focused AI/ML (58%) among the most important aspects of cybersecurity.

What is Data-Driven Cybersecurity?

Here鈥檚 the good news: Organizations can overcome information overload.听Adopting data-driven cybersecurity is about figuring out how to extract, normalize, and apply data to accelerate security operations鈥攊deally faster than adversaries. Analytics and AI technology can help the government obtain a holistic view of the federal cybersecurity聽ecosystem.听

Along the way, agencies may need to leverage outside technical expertise. In the survey, most respondents (60%) said they had limited knowledge of cyber data analytics. And respondents were roughly split on whether they had limited or substantial knowledge of cyber-focused AI and ML. Respondents included mostly federal and military personnel, as well as stakeholders in think tanks, non-governmental organizations, lobbying roles, and the legislative branch.听

Data-driven cybersecurity, bounded by strategic business objectives, leverages talent and technology to deliver value across entire organizations鈥攆or instance, by equipping various internal teams with shared awareness of vital data. This requires a culture change, which is enabled, in part, by an integrated approach that lets security functions jointly overcome challenges with the right capabilities, management, and architecture tailored to fit the organization.

This approach integrates high volumes of disparate data from formerly siloed groups鈥攆or instance, teams focused on cyber operations, incident response, cyber intelligence, information protection services, security and investigations, legal, communications, and compliance issues. With use cases and data governance guided from the top, these teams are more empowered to make the real-time decisions needed to carry out critical missions and counter emerging threats. Operating with a clear vision also reduces the alert churn for security teams.

In addition, this approach makes it more cost-effective to store massive quantities of cybersecurity data for longer periods, which lets organizations gain the benefits of security analytics at scale in real time. And this, in turn, can enable advanced cybersecurity that uses predictive analytics and turns threat intelligence into actionable insights.听

What Are the Next Steps?

The Cybersecurity and Infrastructure Security Agency (CISA) should take the lead in operationalizing data from agencies and federal sensors to supply intelligence for proactive cyber defense operations. Fortunately,听聽on conducting persistent hunts for threat activity, ingesting and analyzing security data at all levels of the network, and conducting rapid analysis to spot and counter threats.

In addition, all FCEB agencies and critical infrastructure entities should embrace data-driven cybersecurity. Here are five recommendations for putting this approach into action:

Commit to being vendor neutral:聽Every vendor is trying to lock you into their system. The best way to break out of that is to make all data go through an open architecture. To that end, CISA should look to develop and implement a common data model鈥攆or instance, for all endpoint detection and response (EDR) data.听

Assess internal needs:聽Organizations should conduct an analysis and make the data available to whoever needs to consume it. Data access should be controlled centrally. Along the way, agencies lacking knowledge in cyber data analytics and cyber-focused AI and ML should leverage expertise from elsewhere in government or in the private sector.听

Plan phased improvements:聽Organizations can begin with basic capabilities and then upgrade to advanced and leading capabilities over time. Leading organizations can work toward implementing the architecture for a cloud-native, cyber-focused data pipeline for streaming analytics (threat hunt, detection, and compliance).听

Act locally, think strategically:聽The more headway organizations make in overcoming their own silos, the better they will be able to contribute to the cybersecurity of the broader ecosystem. As National Cybersecurity Director Chris Inglis聽, the collaborative development of insights across silos and stovepipes is increasingly important for the benefit of all.

Prepare now for the next threat:聽Organizations need to start moving ahead of threats鈥攁nd the best way to do that is to proactively ready data to be analyzed and queried. Data must be normalized and made accessible. With each new threat, different datasets have become more valuable. In the case of Log4J vulnerabilities, for example, organizations could have been querying their application and firewall logs for potential attacks while they waited for vendors to self-identify and issue patches, or for vulnerability scanners to update their definitions. Being proactive is even more important when organizations must protect cloud-based systems and federated networks.

In short, data-driven cybersecurity is a national imperative. Data is the linchpin for full-spectrum U.S. cyber capabilities designed to defend the nation and counter threats. Embracing a data-driven approach can drive advancements in聽cyber threat hunting,听cyber threat information sharing,听supply chain security,听zero trust,听and beyond. It鈥檚 never been more important for government agencies and critical infrastructure entities to embark on this path.