Contrarisk Security Podcast #0040: Exploiting security data

Matt Alderman, Tenable Network Security

Matt Alderman, Tenable Network Security

Organisations have lots of security these days – but do they have the right  security? Is the technology being deployed in the most effective way?

Traditionally, the approach has always been one of defence in depth. This has led to organisations investing in a long list of point solutions. There’s always a concern that it’s the wrong technology, or that solutions are being inadequately or incorrectly implemented. But as Matt Alderman, VP of strategy at Tenable Network Security explains in this podcast, a bigger question is whether the data produced by all these point security solutions is being properly harvested and analysed.

Alderman thinks we should stop thinking in terms of technology and start thinking about capabilities. He outlines six domains, ranging from detection, through response to improving your security protections that provide a framework for deciding what capabilities you need and how to implement them.

We’ve been far too focused on the solutions available rather than understanding the problems, he suggest. One of the issues is the way that analysts like to look at security in terms of markets – something that’s inevitably product-led. Vendors are consequently driven by these defined markets, producing products to fit those  categories. And finally, organisations set budgets along the same lines.

“We’re not budgeting holistic security programmes,” says Alderman. “We’re budgeting line items.”

While most firms that have been breached claim to be victims of ‘sophisticated’ attacks, the truth is that most breaches start with something as simple as a phishing attack. Where the attackers are sophisticated, Alderman believes, is in their ability to “hide in the gaps”, using the weak points where the security systems fail to join up. They can remain hidden and carry on their malicious work for days or months.

So far, the main way organisations have attempted to address this problem is to take all the security data they’ve got, shove it into a Security Information and Event Management (SIEM) system and hope they can make sense of it there. We’re now starting to see some developments in this year’s big thing – big data – but with the amounts organisations have invested in their SIEMs, they’re not likely to spend again on big data solutions.

Alderman believes we do need to embrace some emerging technologies to help us with all this data, but without the SIEM necessarily being at the centre of that. While SIEM-based solutions require you to be careful about what data you collect and what patterns and anomalies you’re looking for, big data solutions are the opposite, encouraging you to collect everything and subsequent analysis will reveal what’s significant.

Improvements can be made incrementally, without a need to ‘rip and replace’. But you’ll do that successfully only if you understand what capabilities you need and how they fit together, says Alderman.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.