Home » Uncategorized

Security data lakes and the future of organizational security

  • Erin Hamm 
Pixel landscape

Evolving technological advancements have created a far more data-centric world. This has dramatically changed the enterprise landscape, while also creating more data silos.

The explosion of cybersecurity tools and mounds of data in modern enterprises have made it difficult to combine data to create a unified view. This has resulted in siloed data that’s also costly to store, analyze, and quickly present. In addition, it creates a dangerous division of knowledge that can prevent security teams from spotting threats.

What’s needed is a better way to break down these silos of security data to gain greater visibility, which is the promise that security data lakes bring. But organizations must go a step further than establishing these data lakes; they also need a way to weave together all the data collected for optimal use and benefit.

A legacy of silos

Enterprise data and security data have generally been treated as two separate entities. Historically, it’s been a “separation of a church and state” kind of thing. One major reason for this is that these two categories of data are dealt with by different functions in different departments of the organization. This has contributed to a siloed structure that persists primarily because of inertia or status quo thinking; this was simply the way things were always done. Security was often treated as an afterthought, but the landscape of security and risk has changed so dramatically that today, this kind of approach won’t suffice. Business data must be coupled with security data, not as an afterthought, but as a forethought.

Even within security data alone, there are silos – largely because each different security tool is producing its own data outputs, and these aren’t easily integrated.

The bottom line? These silos have to go.

Time for an evolution

Today, what needs to happen is that all of an enterprise’s data, no matter whether it’s business data or security data, needs to be combined rather than simply dealt with as separate entities. Many are familiar with the concept of a data fabric, which Gartner defines as “a design concept that serves as an integrated layer of data (fabric) [HE1] and connecting processes.” A data fabric can be the place where disparate data is woven together.

It’s time to take this concept and apply it to security. This is the promise of a security data fabric, which converges data sources, data sets, and controls from various security tools to make security data part of the organization’s global data strategy.

In this model, your security data will live with your enterprise data. The enterprise data will provide additional business context xthat can make it easier to detect and respond faster to real threats. Security tools and teams exist to support all business operations, but if security data and business data are not aligned, the security team will not have all the necessary context to accurately address and protect the business.

Many prior attempts to solve these challenges have been homegrown, DIY approaches – with solutions designed for specific, individual problems – but that can quickly become an endless cycle. There’s always going to be another challenge or business problem that needs solving, so this sort of one-off approach doesn’t work anymore.

How security data lakes can help

In contrast to a one-off approach, a security data lake can improve visibility across the entire operation, providing a centralized solution for managing security data. Security data lake solutions work best when coupled with data sources and tools for analytics, reporting, and orchestration, among other functions.

In the ideal scenario, the lake brings together the business context that security, risk and compliance teams need to safeguard an organization’s digital assets and people. This would include teams of security operations center (SOC) analysts, data analysts, compliance and audit experts, threat hunters, researchers and incident responders, and in the best of all worlds, data scientists. These team members can quickly identify actual threats and manage compliance thanks to this unified view of crucial security data with business context. In essence, a security data lake enables a one-stop shop for the variety of data that’s needed by each of these functions.

The crux of this approach is ensuring teams are getting the best data and using it in the most effective way. Having all an organization’s data in one ecosystem enables business leaders and analysts to answer previously unanswerable questions and to adapt to changing business and security conditions quickly. Data silos do not support easy or fast access to business intelligence.

A recipe for success

Preparing to implement a security data lake approach begins with an analysis of where silos and gaps exist. It’s a matter of evaluating the disconnects and then breaking those down.

It also requires addressing the knowledge between the various roles using data to make informed business decisions: IT, data engineers, data scientists, security operations center staff (such as security analysts and threat hunters), business analysts and so on.

Once the data gaps and silos are identified, it is key to align on the necessary data stories being told with this data. Asking the question, “how are consumers using this data and for what purpose,” is the first step to break these silos down. Once this is answered, it’s time to normalize, parse, and enrich this data to create a standardized view for all the various data consumers to work from. After the data is standardized into a common format – such as MITRE-CAR, OCSF, or others – you’re able to implement security best practices. Having governance and security best practices at the forefront of the security data lake design helps ensure adherence to strong security measures while still enabling users to gain the deep insights they need from the data.

Great visibility, better security

If enterprises have cleansed data that adds business context to security events, then security teams can rapidly recognize and identify genuine threats. As a hefty side bonus, teams can validate and attain controls around the data usage, cost, and applications within the business.

Today, data has become a main focus of security. Organizations will gain more actionable insights, a reduction in false positives, the capacity to undertake threat hunting across huge data sets, and near-real-time visibility into their compliance and risk posture by integrating security into their global data strategy. A security data lake approach is a key step toward bringing this to fruition.