Over the past decade, cybersecurity has risen to the top of the list of mission-critical business functions. It has happened because the internet has become a central part of many core business activities, and rapid digitization has created some serious risks. One need only look at the laundry list of major data breaches that have taken place in recent years to understand the scope of the potential for trouble.
That has, in turn, spawned a huge new industry dedicated to securing all of the data, systems, and digital assets that businesses have to protect. They’ve produced a sophisticated suite of tools and platforms that increase a business’s visibility into where their data flows, who’s accessing it, and where the vulnerable points are in their networks. But operating a complex monitoring apparatus like that often requires vast resources and teams of highly-trained cybersecurity professionals – and that costs a great deal of money.
For that reason, businesses are constantly looking for ways that they might maintain their security while reducing costs. And now, the rising discipline of data security analytics is getting closer than ever to providing an answer by enabling advanced threat detection and mitigation that leverages automation to reduce the burden on overburdened IT staff. But to use it, businesses have to prepare their infrastructure to facilitate a system-wide analytics function. Here are the three most important steps they need to take.
Initial Data Collection
No matter what computing infrastructure is in use, there is one thing that is certain. It’s likely already generating huge amounts of data related to its operation and management. That means the first step to prepare to implement a security analytics system is to identify those data streams and integrate them into a central database system. There’s no single set of steps to follow to do this since no two computing environments are ever alike. Generally speaking, though, the on-staff network administrators and IT professionals should have a pretty good idea of where to start looking. Common data points within a business network include:
- Server security logs and operational data
- Network hardware logs (firewalls, routers, access points, etc.)
- Endpoint security logs
- Web activity logs and connection data
The idea is to try and discover any pre-existing data sources that provide visibility into the goings-on within the network. When that’s complete, it will be possible to start building connections to a database system.
Data Transformation and Normalization
When merging data that’s coming from distinct sources and systems, there’s little chance that the data will follow a single format or structure. That’s why the next step is to create a data transformation and normalization process that will be able to bring everything together in a single, coherent data structure.
In many cases, this can be accomplished by creating simple scripts that make the required transformations to the data before committing it to a database. Commonly, this is done using SQL scripting or Python, depending on the type of destination database. For complex data sets, or for when the volume of data you’re working with is too great, it may be necessary to choose an extract, transform, load (ETL) platform to act as a middleman in the process being built.
The main idea is to identify common data fields and to make sure they all end up using standardized names within the new database. For example, common data points like IP addresses, port values, and timestamps may be reported differently by differing systems and hardware. Making sure all of the data uses common language makes it possible to perform searches against it that will yield complete results.
It’s also important to note that businesses may elect to use a security information and event management (SIEM) platform to handle this step for them. Most commercially available systems can handle data aggregation and standardization using built-in functions. The only downside to doing this is that businesses that go this route can become locked-in with a particular vendor, which limits their options for expansion and customization as their needs change.
Identify Stakeholders and Point People
With a new data infrastructure in place, the next step is to identify all of the stakeholders within the business that will need access to the security analytics system. This may include on-staff IT managers and cybersecurity professionals but might also include members of the business’s executive management team. By figuring out in advance who’s going to need to see what data, it’s much easier to settle on an automation system that will produce periodic pre-defined data reports when required.
For example, non-technical staff may not need access to anything more than top-line security metrics reporting, while front-line security staff will need to access a wide variety of in-depth reports and will need the ability to query the security data at will. This will inform the decision on what kind of access system to use, or if a more complex, AI-augmented system is needed.
A Solid Base to Start With
After undertaking these three steps, any business should be able to get a handle on the cybersecurity data that’s available to them, centralize it into a single format, and plan for how it will be used and by whom. That then unlocks the door to more advanced security analytics functions, including the deployment of a security orchestration automation and response (SOAR) system that can provide a more active defense against known and emerging threats.
At the same time, starting on the path to security analytics also tends to reveal weaknesses in existing systems because of the need to get hands-on with every part of the infrastructure in the data discovery phase. So, no matter how the results of the process are eventually put to use, it’s still a worthwhile undertaking. And as new and more complex cybersecurity threats evolve – and they will – any advantage a business can get is one that they should explore at the earliest possible moment.