Dialing-up Data to Tackle Expanding Security ChallengesDave Krasik
Many security professionals feel like broken records at this point when we say, “the threat landscape is constantly evolving”, and especially when we talk about how security operations centers (SOCs) are always trying to do more with less. But over the last couple of years, what we think of as standard security issues have evolved into several new, daunting challenges.
From the acceleration of digital transformation and rapid rise in remote work, to increasingly crafty supply chain and ransomware attacks, to geopolitical events and cyberwarfare, the layers of complexity SOCs are dealing with today are unprecedented.
The role of cybersecurity is expanding to track more and different types of data to strengthen detection and response. As security teams move into further uncharted territory, I see these as three specific threats that need to be addressed.
Industry-specific, fraud-related threats. In the digital economy, any organization that has an online presence needs to continuously track what is happening in cyberspace. If they don’t pay attention to activity on social media, chat services, blogs, illicit online communities, etc., they could face a real, existential threat to the business. A company’s brand and reputation are at risk when a misleading, negative, or inappropriate video or comment goes viral. And the financial pain resulting from the trafficking of counterfeit goods and digital piracy of software, music, and video is significant.
Estimates for the global movie industry and TV industry peg losses for each at $40 billion, conservatively, and up to $95 billion annually from digital piracy. And there are other types of online fraud security teams are tracking. For example, gaming companies monitor for cheat codes being bought and sold, and companies in the gambling industry track for card sharks and card counters. The sooner an organization can detect fraud, the more effectively they can mitigate the impact to the business and prevent it in the future.
Cryptocurrency activity. Tracking cryptocurrencies is increasingly being added to the security team’s area of responsibility, and not just within the financial services sector. Because ransomware is big business and no sector is immune, a cross-section of organizations is increasingly interested in tracking cryptocurrency activity since that’s the prevailing form of payment. The objective is to connect the dots back to bad actors to determine their credibility and to gain insight into how they operate so security teams can strengthen defenses and incident response.
Deeper context about technology assets. Traditionally, organizations use IT asset management software to track all their software and hardware. Integrating that system with their vulnerability management system and data related to vulnerabilities can make patching much more efficient. But the Log4j supply chain attack, for example, has forced a rethink of patching. It’s no longer enough to know which commercial software applications are in use by which physical assets, organizations need to know the components within every commercial software application they have deployed. And if their software developers are using third-party software components, they need visibility into those components also, to understand any potential vulnerabilities within their internally developed software. To achieve this, security teams must incorporate data from a software bill of materials (SBOM), a detailed record of all components used to build a given piece of software, to track vulnerabilities and patch at a more granular level.
Security teams are already suffering from data overload. How can they manage and make sense of all this additional data to ensure it is useful and providing value?
Many organizations already subscribe to threat information from a number of sources in a variety of formats, including from commercial threat intelligence providers, governments, their existing security vendors, open-source feeds and frameworks like MITRE ATT&CK. Now they are also looking to bring in data from news articles, research blogs, mainstream and illicit online forums, GitHub repositories, and SBOMs, to name a few. Integrating all these sources and types of data with the rest of their security operations is critical, and remains a key challenge.
Looking ahead, organizations must prioritize capabilities to augment and enrich event data aggregated from internal data sources—including the SIEM system, log management repository, case management system and security infrastructure—as well as external data, to connect the dots, assess their security posture, and mitigate risk.
Modern SOCs need access to more data, faster, and it needs to be immediately usable. We can only imagine how the threat landscape will continue to evolve and what data will be needed next. Fortunately, the technical underpinnings are there, so the role of cybersecurity can continue to expand in lockstep with what security teams need today and in the future.