Let’s face it, in the digital world that we live in today, one
of the cornerstones of all businesses in Corporate America is that of
data. Whether its medical data,
E-Commerce related data, market research data, etc. we depend upon the collection and secure
storage of it for subsequent uses. In
fact, even the world of Cybersecurity is known to collect tons of data.
Unfortunately, in our world, much of this data gets
overlooked, because our IT Security teams are so inundated with trying to put
out the fires on the threat landscape.
For example, unless some sophisticated tool is being used
such as SIEM, AI, or ML, it is almost impossible to comb through all of those
alerts and warnings, and determine what is for real and what is fake.
Therefore, you need and your IT Security team need to have
some kind of focus as what kind of data needs to be collected, especially in
the way in the way of intelligence, so that future threat vectors can be
predicted with some accuracy.
So how does one go about doing this? Here are some quick tips that you could quite
possibly make use of:
1) 1) Establish what really needs collection:
As a CISO or even a vCISO, the first
answer that will come to mind is “We need everything”. So, does this mean even including the
proverbial kitchen sink? LOL. In Cyber,
all data is very important. But since
there is so much of it that is coming in on a daily basis, you need to focus in
on really what employees need. For
example, if you are threat researcher, you are going to need intel related
data. If you are on the combat team
fighting the threat variants, then you will need information about those
threats that are inbound, what is coming in the next few days. Or if you are running a SOC, you will need to
have even more global data as to find out what is happening around the world,
especially of you have clients and/or offices located in different
countries. This part of the process, which
is honing down on what you really need is technically known as “Prioritized
Intelligence Requirements”, or “PIR” for short.
2) 2) Determining the actual sources:
Once you have decided what you are
going to focus for either the short or long term, the next step is how you are
now going to collect this data. For example,
if you are a threat researcher, you are going to need an exhaustive dataset of
past variants and their signatures. From
here, you can then map out the correlations amongst the deadlier ones, and from
that, try to project or extrapolate what the future threat variants will look
like. One key you advantage you have
here is that the Cyberattacker hardly ever comes up with a totally new, brand-new
variant. There always based on some sort
of previous attack vector, and all they are doing is simply building a better mousetrap
in order to avoid detection and hide covertly for even longer periods of
time. But however, trying to do this all
on your own can be a very time-consuming mind-numbing process. That’s why you should use either AI or ML. These tools can do this in just a matter of
minutes.
3) 3) Determine the analysis:
Once you have identified what types
and kinds of data need to be collected, as well as their sources, the next
thing you need to do is decide how it will be analyzed. You have two choices, here. They are the human approach or the automated
approach. With the former, you are going
to have to hire more than just person, and this can be a costlier proposition,
given the fact that you are going to have to pay them something. Also, there is the time factor. While humans are no doubt amongst one of the
smartest creatures on the planet, it will still take a lot of time to make any
sort of prediction, and humans are also more prone to making errors. Keep in mind that in the world of Cyber, time
is everything. For example, you will
need to know in a matter of hours of what the Cyber threat landscape could like
tomorrow. Thus, the latter choice, which
is that of automation, will be best bet here.
4) 4) Determine the Call To Action:
Now that you and your IT Security
team have analyzed all of the data and have derived logical conclusions from
it, the final step in this process is how to take action on it. In the case of dealing with all of the alerts
that are coming in on a minute-by-minute basis, the CTA here would be to
procure some sort SIEM based software package, and feed this data into it. That way, it can very quickly and easily filter
through all of the warnings and messages, and only present the real and legitimate
ones to the IT Security team. From here,
they can be triaged and escalated in a quick and efficient manner, while
reducing the amount of errors that are being made in the process.
My Thoughts On This:
This methodology just reviewed can be seen in the illustration
below:
In this article, I have eluded to quite a bit of using AI
and ML tools. Given just how dynamic the
Cyber threat landscape is these days, you are going to have use these tools in
order to quickly analyze the data you are getting.
Although it may sound complex, it really is now. If you make use of a Cloud based platform such
as that of the AWS or Microsoft Azure, the tools are right there for you to literally
build an AI or ML machine in just a matter of minutes, for a fixed, monthly
price.
But also keep in mind that as you further explore your AI
and ML options, the algorithms that you create for them have to be optimized on
a regular basis. If not, they can go
stale, and not produce the desired outputs.
Secondly, you have to make sure that the datasets you are using
have been “cleansed” as well. This simply
means that there are no outliers in them, and that they are properly
categorized so that your AI or ML machine can easily process them.
If you need help with any of this, there are plenty of AI vendors
out there who can help you. A Google search
can reveal this as well. Or you can also
contact me at ravi@ravidas.tech for further
assistance.
No comments:
Post a Comment