When it comes to developing a successful cybersecurity program in 2019, simply purchasing and deploying cybersecurity technology is only the first step in deriving value from the investment. Maximizing value and capitalizing on these efforts requires a series of defined processes and no shortage of skilled workers behind the scenes.
Determining the ROI for any cybersecurity investment can be a fickle experiment, but value can come in many forms. Of these, one of the biggest and often overlooked benefits of cybersecurity tools is in the data they can generate over time.
Organizations that purchase a solution – be it endpoint detection and response, firewall, or even an anti-virus – often overlook the wealth of information, deep in logs, that goes well beyond the default “set it and forget it” mentality. Adversaries can be adept at evading these tools from a blocking perspective, but there’s a good chance they’re leaving tiny bits of data behind – breadcrumbs – that can help facilitate a deeper investigation into the unknown.
There are several ways organizations can leverage that data to get the most from their investment, regardless of the solution:
Hire the right talent to maximize your technology value
It’s critical for organizations to hire the right talent, not only to complement the company but to help supplement the technology that’s been purchased. Skilled personnel should be able to run the solution, but more importantly, be prepared to analyze data output and look for clues that could aid in threat hunting.
In order to harvest such value, organizations should learn as much as they can about the technology, including its capabilities and limitations. Is it possible, for example, to extend the tool to bridge other gaps in an environment from a security or compliance perspective?
Ensuring employees in your organization are well-trained and equipped to leverage a tool’s capabilities can your company achieve success holistically. This sometimes requires a team to segment roles to divide up work but is necessary to ensure an organization isn’t impacted operationally from user error.
Consider Managed Services
If you can’t find the right talent internally – a common problem, especially in light of the cybersecurity community’s ongoing skills shortage – look externally. Consider contracting a managed IT services team, ideally one with inherent knowledge of the technology, offered by the service itself.
If you go this route, be sure to pay attention to the service-level agreement – the contract between a managed IT services provider and a client that breaks down how the managed service will deliver value from the product. Additionally, request metrics and reporting from the managed services team to demonstrate a return on investment.
Comb through logs to seek out incidents
When done effectively, threat hunting allows organizations to uncover malicious activity. It’s not possible, however, without data and the right tools to quickly parse through that data. It’s important to export logs to a central location, like security information and event management (SIEM) software, for instance, to correlate activity with other data sources. SIEM tools can help teams juggle the vast amount of data and also make it easier to interpret, something which in turn, can yield possible threat activity.
Organizations should ensure that they’ve defined rules and signatures within the data to trigger on and confirm a proper workflow is in place within the analyst team when it comes to triaging alarms.
Rules in particular are important as they can help identify suspicious events, but they don’t always have to be high fidelity. Threat hunters want to gather as much information on the behavior, goals, and methods of adversaries as possible. That’s why even rules that generate lots of data, from a threat hunting perspective, can be beneficial. By doing this and gathering intel, teams can develop hunting signatures that require analysts to generate baseline configurations. This can yield a higher fidelity rule set that’s catered to your environment.
Threat hunters should always take a proactive approach. Never sit back and wait for alarms to trigger, expecting malicious activity to come to you. Keeping tabs on the latest threats, bringing in intel, and developing additional signatures to leverage can lead to efficient threat hunting while reducing dwell time for adversaries in your environment.
Keep an eye on data trends over time
Static signatures and rules can only do so much. That’s why organizations may consider feeding their logs into a tool that uses behavioral analytics or machine learning to see how data trends over time. By using tools that can flag anomalous behavior and create alerts on changes in workflows, applications, and data use, keen-eyed hunters can better sniff out what’s normal and abnormal in their environments. While these technologies can have a high false-positive rate at first, they learn contextually over time, eventually establishing a baseline of user and entity activity.
Before purchasing machine learning technology, organizations should do their due diligence by researching what its limitations are up front. What kind of data sources will maximize value and be the biggest benefit to you? Harnessing the power of machine learning and behavioral analytics can immensely transform how an organization handles data but it’s important to ensure it fits your needs.
(Tim Bandos is vice president of cybersecurity for Digital Guardian.)
