I’ve been a huge fan of data analytics in computer security for a long time, including dozens of my columns over the last 12 years at CSOOnline and InfoWorld. Fan probably isn’t a strong enough adjective. Stalker is probably closer.
As a 30-year computer security consultant, I’ve watched nearly every company I work for ignore the data in front of their eyes to pursue a defense that will never, ever keep out malware and hackers. For example, I would tell them they need to patch software that was being used over and over again to break into their company, and they would respond by asking me to install disk encryption. Or I would give them data showing that their employees were being socially engineered by an advanced persistent threat (APT) and needed better end-user education, and they would respond by buying far more expensive host intrusion prevention devices.
Whatever I told them they needed to do, even if given the best data to support my findings, even if they agreed with me in front of my face, they did something else. Whenever I went back to those same companies, rarely had they done the most significant thing they could have to improve their computer security defense.
Why would any reasonable company ignore the very things that they should be doing, even after we all agreed they needed to be done? No reasonable person when presented with the evidence would actively choose to ignore it, right? They did, even if they had already been thoroughly compromised and had lost (or been fined) millions of dollars, and even if they faced millions in fines if it happened again.
This bothered me so much that I sought to find out why so many companies were making bad decisions. I watched and listened to over a hundred companies, large and small, and asked employees at every level why they didn’t do what they should be doing to most efficiently defend their companies. I compiled my early findings into a whitepaper.
I have essentially made my career since then solely about driving more data analytics into computer security. It is my reason for living…at least my professional life. What I learned culminated into my tenth book, released just last week, called A Data-Driven Computer Security Defense: THE Computer Security Defense You Should be Using. If you don’t want to buy the book, download the free whitepaper. I care more about spreading the ideas and solutions than making the most money.
Finding Bay Dynamics
I’m pretty good at quickly identifying interesting ideas from the many security vendor pitches I receive daily, and I’m constantly looking out for ideas and companies that promote the same data-driven ideas that I believe in. So, imagine my surprise when I learned about Bay Dynamics, which is the epitome of everything I believe about a data-driven computer security defense.
[ Read CSO's review of Bay Dynamics Risk Fabric ]
Bay Dynamics is doing exactly what I have been extolling companies to do for the last 5 years – use your own data to drive your best defenses. If I had learned about them two weeks earlier, they would play a huge part in my book. Still, I’m overjoyed to learn about what they believe and do.
Bay Dynamics was started in 2001, co-founded by Feris Rifai and Ryan Stolte. Initially it wasn’t even a cybersecurity company. They did data analytics from the start, but it was more about analyzing what worked on websites and different business decisions to drive an optimal outcome. It wasn’t a product or service company. They only consulted. Somewhere along their journey they realized that the companies they consulted for wanted more than advice. They wanted a product that put their consulting brains in a service. That product quickly morphed into a computer security offering, today known as Risk Fabric. I haven’t used a Risk Fabric product, but from what I can see from the demo and talking to the CTO, it seems to gather and display data that can help make improved risk decisions.
Identifying asset value
I asked Stolte, Bay Dynamics’ co-founder and CTO, about what they brought with their data analytics: "We need to treat cybersecurity as a risk management problem. People are inundated with threat conversations, overwhelmed. But if you shift the conversation to risk management, we can talk about likelihood and potential impact. Risk is impact times likelihood of the vulnerability or threat. Many companies do that. One of the things we bring into the equation is asset value. It’s a big part of the risk.”
Stolte gave an example where a company’s most valuable computers contained a “medium-risk” vulnerability. Many vulnerability management systems would spit out a report that said such-and-such system had a medium risk vulnerability. Everyone knows that isn’t the actual case, not with your most valuable computers.
What Bay Dynamics does is let the value of the data and system being targeted by a particular threat or vulnerability drive risk management. For example, a system with a high-risk vulnerability that contains zero company data and isn’t even connected to the company’s network is probably lower risk than the previous, high-risk example. It’s just commonsense. Bay Dynamics automates that commonsense into dashboards, work queues, and applications.
Every company in the world has far too little resources to fix everything at once. Each has to decide what to do first and what to save for later. Bay Dynamics helps companies better figure out the right risk priorities, using their own data. “We decided to make a product and build models to help people better manage their business. We can help them identify what their true [vulnerability] posture is and make it actionable,” says Stolte.
Computer security companies don’t often give me a reason to be excited. Most are promoting specific “whack-a-mole” solutions for a specific problem that can often be easily bypassed or are full of false-positives. Bay Dynamics gets it. They understand how to use data to drive efficient security focus. Other larger players are starting to take notice.
Bay Dynamics started partnering last July with Symantec, which calls the offering Information Centric Security. Comcast Corporation, one of Bay Dynamics’ customers, recently won three awards (CSO50 and two ISE Awards) for its Cyber Value at Risk project powered by Risk Fabric.
In a nutshell, Bay Dynamics collects data and analyzes with better, more commonsense risk models to help customers make better decisions about what to focus on first. I spent ten chapters in my latest book talking about something they can teach you the importance of in a few minutes.
It’s exciting to see data analytics put to such good use. I love any computer security vendor that helps other companies better collect and use their own data to improve their defenses. No company is perfect or has all the solutions, but Bay Dynamics should be on your short list.