It's hard to achieve alignment in cybersecurity when we're all reading from different pages. There's an abundance of data to collect but no common protocols or outputs. We want to detect all the threat things, yet our IT teams are burning out from alert fatigue. And why does every vendor redefine SIEM, SOAR, and XDR in what seems like weekly?
Forget the "30,000-foot" level - the answers are below ground, down at the root level. That's where you will find the data information model.
IT and security teams use a host of visibility sources to determine whether something nefarious is happening in an environment. For example, the intrusion detection/prevention network tool sniffs packets, comparing against known bad patterns. Then, it sends the data to a Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) platform. However, while standard protocols like Syslog and PCAP exist, most cybersecurity vendors use their own information model, leading to inconsistencies as organizations add new technologies while trying to integrate the tools.
Before organizations build out complex cybersecurity tooling stacks, they need to choose and standardize their information model for normalizing log data to establish a robust security program with a comprehensive, interoperable set of technologies that enable their people to develop effective processes.
Prioritizing standardization at the leadership level
Every year, new cybersecurity tools join the market while others either drop off or consolidate into other products. When the organization lacks a standardized schema, these shiny new objects create disruption at the analyst level because the tools fail to provide the needed visibility.
By clearly defining the information model, leadership ensures that the company can effectively add to its toolsets without having to rework around a new technology’s information model. Whether using their own or a vendor’s information model, defining the schema is the most important step to gaining the most value from a SIEM or security log management tool. It ensures the organization can review how a new technology will translate data across tools to create a holistic strategy.
Choosing the right tools, platforms, and automation
With the information model defined, choosing and deploying tools is easier. When organizations make the schema decision after the fact, they often need to engage in an expensive rip-and-replace process that includes associating all current tools to the vendor-supplied model and retraining analysts.
However, when the organization bases its tooling decisions on flexibility and a pre-defined information model, it can use best-in-breed tools that fit into its overall security stack for better visibility. By having a pre-defined schema, companies can review the translation layer to ensure that it is flexible enough to integrate with all the tools. With a pre-defined information model, the organization gains the most value from the built-in analytics, notification, alerts, events, dashboarding, and visualizations.
Further, organizations need to discuss the information model with the vendor early on in the process to build a set of tools that integrate cohesively. This gives analysts the data they need to associate activities with bad behaviors, preventing the organization from ending up on the front page of the newspaper.
Performing regular incident response exercises
An organization's tooling exists to streamline incident response processes. With a pre-defined schema ensuring interoperability, the organization can review the processes, iterate them, and refine them.
Often, IT and security teams start reviewing their incident response processes by taking the incidents they've had over a period of time and reviewing the pieces put together across the tooling. Then, they evaluate to ensure they had the expected visibility and consistency across their tooling.
Another way to test tool and process effectiveness is to leverage penetration tests. In the test’s aftermath, IT and security teams can determine whether their tools gave them the visibility needed to answer the questions associated with the incident. This enables the organization to validate its toolset and its incident response processes.
Developing clear and consistent communications
Finally, with an information model defined at the outset, organizations can establish clear and consistent communications that document their processes. By cohesively integrating tools, the organization enables collaboration across the people using them.
Multiple departments involved in cybersecurity might roll all the way up through a CIO or CISO. For example, a user compromise usually involves the network team, security, and operations teams and may involve human resources.
By defining the information model to ensure tooling interoperability, the organization creates clear and concise incident types using risk factors defined in those standards at the leadership level. This gives the right communication to the right teams so they can communicate effectively, eliminating the need for people to play catch up.
Defining the Information Model for Success
With the right tooling and visibility, security analysts can catch more suspicious behavior. Malicious actors seek to evade detection by using tactics, techniques, and procedures outside common triggers.
When the organization defines its information model and aligns its tooling to it, the technical security analysts who understand the risks gain the necessary visibility. They can find abnormal activity in the environment, even as malicious actors use new methods or vectors.
By starting at the fundamental technical level, organizations can build a cybersecurity stack that offers visibility as the solution.
Mark Brooks is Chief Customer Success Officer at Graylog.