Is your defensive security data-driven?

Data-driven defense uses an organization's own data to identify and mitigate the most important threats. Sounds good, but adoption will be met with resistance.

Credit: IDG

As my long-time readers know, I’m dedicating the rest of my professional career to promoting a data-driven computer security defense. In a nutshell, it’s about using a company’s local data from its own experiences to create a more efficient and effective computer security defense.

I’ve been strongly pushing a data-driven defense for nearly a decade, including a whitepaper, book, and multiple presentations including this one. Companies not using their own data to construct better defenses is behind the rash of easy hacking these days. It leads to inefficient and ineffective defenses, which almost certainly allow more hackers and malware to get into a company.

Despite the benefits of a data-driven defense, changing a company’s culture to adopt it is hard. The lessons I’ve learned can help ease the effort.

Expect pushback

I have been surprised by the amount of pushback I’ve received for saying that we, as an industry, should be better using our own data to drive defensive mitigations. At my last company, I was told that I would probably get fired if I didn’t stop evangelizing a data-driven defense. I had people so against the idea that I can only remember them as professional nemeses. They tried to thwart me at every idea and project.

Then one day, my data-driven defense ideas simply became a part of the culture, so well accepted that they drove nearly everything we did. I remember being in a meeting with some of the company’s executives (with my most vocal nemesis present), when the top senior executive told the group, “We need to follow Roger’s ideas about a data-driven defense more often.” It blew me away. I knew I had finally won over the company’s culture when, a few weeks later, my nemesis introduced me to a new employee as “one of the smartest, persistent guys you’ll ever meet.”

I share this personal story to demonstrate that even within my own company I had, for years, a very hard time getting people to see the vision of a data-driven defense. If your company is not already there (and most aren’t), then it takes a fight to get everyone onboard.

This is to be expected of any paradigm shift. Paradigm shifts are never readily accepted. If they were, they would be called common sense. Paradigm shifts require that you show people the futility of the status quo and then convince them of the growing need to move to something else. Humans aren’t all that great at changing their minds about how they’ve been doing business for decades.

How to quickly sell a data-driven defense

The quickest way to describe a data-driven computer security defense is to compare it to the insurance industry. Every insurance product makes a financial bet that what people are paying to the insurance company will be more than the resulting payouts the insurance company will make for the covered scenario.

Most insurance companies are highly profitable, because they have high-paid actuaries who use data analytics to predict occurrences of covered events. A data-driven defense is simply forcing company’s computer defenses to use more data analytics to better predict real risk and outcomes, just like the insurance company. 

Data-driven defense basics

A data-driven computer security defense is more of a mindset and culture than anything else. If you’re using your own local data to better predict most likely future security events, then you’re doing it. Most companies are using it in limited doses in a few places. I’m arguing that it should be the primary driver across most computer security defense scenarios.

A data-driven defense starts first with identifying how your company was most successfully attacked (i.e., the most damage) in the recent past and most likely will be successfully exploited in the future. Threats aren’t malware families or hacker group names, but the root causes of initial exploits (e.g., unpatched software, social engineering, misconfiguration, or password attacks). You’ll never stop a threat if you don’t stop how attackers gain footholds in your organization. Once you understand that, you’ll fear “harmless” adware just as much as a malicious backdoor Trojan if they both used the same exploit method to get in.

The top threat or threats are then communicated to everyone in the organization so they are not only aware of the top threat(s), but can assist in mitigating them. The organization then analyzes its current threat intelligence, threat detection, and mitigation, for how well they work at defeating those threats. The best mitigations are applied and then evaluated against those top threats to see how well they really do against minimizing them.

If applied correctly, a data-driven defense more efficiently minimizes initial breaches and resultant hacker activities. It does this by focusing on objectives that:

  • Improve data collection and analysis
  • Collect better threat intelligence
  • Improve threat detection
  • Focus on root causes
  • Improve enterprise communication and coordination
  • Better align mitigations to the most critical threats
  • Increase accountability

A common example

For many years, the most unpatched and exploited piece of software was Sun/Oracle Java. Almost every company I accessed had gobs of unpatched Java, and it was often the number one way they were exploited. In fact, Cisco, in its Cisco 2014 Annual Security Report, indicated that unpatched Java was responsible for 91 percent of all successful web attacks for its customers. That means all other web exploits combined equaled 9 percent!

For reasons I’ll never figure out, instead of working harder to make sure they had less unpatched Java in the future, customers decided they couldn’t fix the problem because of operational concerns and focused on everything else. This was despite the fact that their own data revealed that unpatched Java was the biggest reason they were compromised, and everyone involved in the defense knew it.

So, what I did is show them that if they didn’t fix the unpatched Java problem, that even if they fixed every other computer security threat in the company, it didn’t come close to stopping nearly as much badness. Their own data showed that ignoring or accepting the unpatched Java problem was essentially the whole ball of wax concerning their computer security issues. With the data in hand, they were able to approach senior management and request more resources and authority to focus on the biggest issue in their organization. The data allowed them to push back on operational concerns and get the job done. Data provides support and clarity in an extremely uncertain and chaotic world.

Do you want to defeat hackers and malware? Use your data

I’m 51 years old and have been doing computer security for more than 30 years. I figure I’ve got about 15 years before I retire. I’ve been writing 52 columns a year on a lot of topics in this space since 2005, but regular readers see me coming back to computer security data analytics topic again and again. There is no better way to improve a company’s computer security defense than to spread this message until it seems like common sense to everyone.

If you’re interested in learning more about a data-driven computer security defense, join my free webinar happening March 15. I won’t be selling any products, just a paradigm shift.

Show Comments