Where a CISO Starts

by Christopher Jordan

July 6, 2020


As a Chief Information Security Officer (CISO), you are tasked with blending c-suite objectives with technology. You need tools that help balance security with the success of the organization. To be effective in this challenging assignment, you and your team must make rapid, sound decisions about cyberthreats and other security matters.

Experience demonstrates that wise security decisions depend on ground truth data analytics that harness the power and efficiency of the cloud and also provide the comprehensive visibility needed by the CISO. Such situational awareness occurs when diverse security data is simple enough to understand, but sufficiently detailed to enable insightful decisions.

Your SOC team members need ground truth. To get it, you first have to capture all of the possible data generated by your organization. Afterall, all data is security data. Yet, existing security and data analytics technologies are not always well-suited to this vision. It’s common, in fact, for security teams to experience data overload from countess sources. A new generation of data analysis and threat scoring tools addresses this problem by integrating security data from the multiple sources and leveraging Artificial Intelligence (AI) and Machine Learning (ML) capabilities. This process delivers ground truth analytics that drive real time situational awareness. The CISO can then have a complete vision of the organization’s network and make the right judgement calls as alerts and incidents arise.

This paper outlines how ground truth analytics and real time situational awareness come together to bolster security while saving your team time and money. It covers the new cloud-based security data analytics tools’ uniquely powerful effect on your organization’s security operations:

  • How to collect and manage raw data — ingesting vast amounts of security data that comes from several diverse sources, including SIEMs, firewalls and so forth.
  • How to leverage data, versus becoming lost in it — rising to the challenge of arriving at succinct, prioritized findings from the torrents of incoming security data.
  • Determining where analysis starts — building analytics into organizational processes and avoiding the destabilizing effects of analyzing and correlating vast amounts of security data from heterogeneous sources.
  • Getting results — using threat scoring and prioritization to enable fast, effective decision-making. Producing metrics and insight that provide results instead of measuring the problem.

Security is what programmers call a “non-functional requirement.” It’s required, but it is not the reason for the application. Security isn’t in one place, but instead is part of everything. This means that your security operations often do not have ownership of all the needed assets. A common example is that firewalls are administered by your organization’s IT department, but security receives logs and makes rule requests. The same is for desktop antivirus and cloud services, such as Office 365. Because security is everywhere, it has vision from the desktop, mobile assets, network and cloud. You need all the data and the means to understand it quickly and easily.

Where should the CISO start? At a minimum, the CISO must be able to see, measure and secure the organization’s complete infrastructure and in turn secure its data. Even in places where the CISO lacks authority over infrastructure, he or she has the responsibility to secure it.

The solution is a collective infrastructure that serves as the base for which decisions via analytics rely upon. Gone is implementing network collectors that cause friction between the ownership of assets. With the forwarding of syslog data and the rise of RESTful web APIs for log collection, CISOs no longer have to fight to implement a collection infrastructure.

The best practice for data collection must be product agnostic. Implementation of proprietary collectors has repeatedly proven to interfere with business and network operations and are simply unnecessary. The same syslog grid and web service logs used by networking and development operations (devops) are sufficient.

Syslog data is sent to the syslog grid. It is preferred to use syslog over TLS. For Microsoft devices, an agent is used in order to transmit syslog, something Microsoft does not support natively. The data in the collection grid may be shared by both network and security teams. It is how the data is filtered and processed that makes these teams different.

RESTful services are the other major means of data collection. Web services, which include host antivirus (EPP) and detection & response (EDR), often will send data to a cloud repository. Legacy EPP is sometimes stuck in syslog-style reporting. When the opportunity arises, it is recommended to change to an EPP/EDR that has web-based logging. With bigger amounts of data demanding faster insight and better response, web-based logging offers organizations more verbose data.

Simply put, information infrastructures should collect all of the needed data. An old-school mindset was to reduce the amount of data to make it easier to process and not lose clarity. This works for fault detection, but not security. Whether analysis is by a human or machine, the better the quality of logging information, the better the results. This is one reason scheme-less database structures are the preferred central databases, as they allow as many fields as possible to be parsed into searchable key-value pairs.

Create a List for Completion: Comprehensive collection is the foundation for operations. Make a list of all of the devices that process and protect data, and then one-by-one add them to your collection infrastructure. As your organization grows and changes, revisit the list for completion and ensure that the logging format has not changed.

With a comprehensive collection infrastructure, the CISO has the information baseline to perform analytics. This is the easiest of steps, and often only takes hours or days to implement. As the CISCO’s analytics mature, there may be improvements to the log configuration or the addition of new sources, but there should be no need for major changes to the collection infrastructure.