Improving Cyber Security Operations Through Security Data Discipline

Software Engineering Institute | Carnegie Mellon University
11 Nov 202126:08

Summary

TLDRIn this talk, the speaker explores the challenges of improving security operations in an increasingly complex data environment. Drawing from experience in the Air Force, financial services, and consulting, they emphasize the importance of disciplined data management to enhance threat detection. By leveraging filtering technologies and the MITRE ATT&CK framework, organizations can reduce data volume, improve query performance, and reduce costs, all while maintaining security effectiveness. The speaker highlights the need for expertise in security to make informed decisions on filtering data and stresses collaboration to further enhance security data practices.

Takeaways

  • πŸ˜€ The speaker has extensive experience in security operations, having led the Air Force's cyber security operations group, the red team, and worked globally as a GISO for JPMorgan Chase.
  • πŸ˜€ The rise in data complexity and volume, driven by more devices and data types, has created challenges in security operations and defender tools, particularly with the increase in remote work during the COVID-19 pandemic.
  • πŸ˜€ Security teams face an overwhelming amount of data, requiring more tools and strategies to sift through it and detect sophisticated attacks, which are becoming more frequent and advanced.
  • πŸ˜€ A data filtering strategy that includes removing unnecessary data and focusing on high-quality, relevant data is essential for improving the effectiveness of security operations and reducing costs.
  • πŸ˜€ The speaker emphasizes the use of filtering tools and pipelines to manage the flow of data, improving storage efficiency and query speed, which are critical in large-scale security environments.
  • πŸ˜€ The MITRE ATT&CK framework is a valuable tool for security operations, providing insights into attacker techniques and helping defenders focus on the most relevant data for identifying threats.
  • πŸ˜€ Data discipline can help organizations reduce the amount of data they handle, which directly leads to lower storage costs and improved query performance in security tools like SIEMs (Security Information and Event Management systems).
  • πŸ˜€ A pilot project with an MSSP (Managed Security Service Provider) demonstrated that implementing a data discipline strategy could save up to 60% of data, significantly lowering storage and query costs without compromising security.
  • πŸ˜€ The filtering process includes evaluating which data fields in logs, such as firewall logs, are essential for security operations and which can be discarded to reduce unnecessary noise in the system.
  • πŸ˜€ By using business intelligence tools for filtering data streams, security teams can efficiently manage large data sets, but they need the right expertise to determine what to filter out based on the security context.
  • πŸ˜€ Filtering and data discipline are seen as essential practices to combat technical debt, as older devices and legacy systems often generate irrelevant or low-quality data that can complicate security operations.

Q & A

  • What is the main concept discussed in the transcript?

    -The main concept discussed is improving security operations through data discipline. This involves filtering and managing large volumes of security data to enhance detection capabilities, reduce costs, and improve the efficiency of security operations.

  • How does the speaker's experience in the Air Force contribute to their understanding of security operations?

    -The speaker's experience in the Air Force, where they led the cybersecurity operations and red team, gave them a strong understanding of both the defensive and offensive sides of cybersecurity. This experience helped them grasp the challenges defenders face and the tactics attackers use to hide within networks.

  • What is the role of the MITRE ATT&CK framework in improving security operations?

    -The MITRE ATT&CK framework plays a critical role by providing a structured approach to understanding adversary tactics and techniques. By leveraging this framework, security teams can prioritize data sources, filter out irrelevant information, and focus on detecting specific attack patterns more effectively.

  • How does the speaker describe the challenge of data complexity in security operations?

    -The challenge of data complexity in security operations arises from the increasing volume and variety of data, which require a growing number of tools to analyze. This complexity increases operational costs and risks of missing critical threats, as security teams must sort through vast amounts of data to detect relevant attacks.

  • What specific outcomes did the pilot project with the MSSP achieve in terms of data management?

    -The pilot project with the MSSP achieved significant cost savings and operational improvements. By filtering out unnecessary data, they reduced storage costs by 15% and were able to reduce the overall volume of data by up to 60%, saving potentially millions of dollars annually.

  • What role does data discipline play in reducing operational costs for security teams?

    -Data discipline helps reduce operational costs by filtering out irrelevant or unnecessary data, which decreases storage requirements and enhances query performance. This allows security teams to focus on high-priority data, thus reducing storage and processing costs while improving the efficiency of threat detection.

  • Why is filtering out unnecessary data important for improving security operations?

    -Filtering out unnecessary data is important because it reduces the amount of irrelevant information that security teams must sift through, thus improving the speed and effectiveness of their queries. By focusing on high-quality, relevant data, teams can detect threats more quickly and accurately.

  • What is the relationship between technical debt and data discipline?

    -Technical debt refers to the challenges of maintaining and upgrading legacy technologies, which often produce a larger volume of irrelevant or low-quality data. As technical debt accumulates, it becomes more difficult to filter out unnecessary data, making data discipline even more crucial to ensure that valuable data can be identified and analyzed effectively.

  • How can AI help with dynamic data filtering in security operations?

    -While AI is not yet fully integrated into dynamic data filtering, it has the potential to assist in automating the decision-making process for which data should be filtered. AI could help by analyzing patterns in security data and adjusting filters based on evolving threats, thereby improving the efficiency of data management in security operations.

  • What is the strategic value of using cold storage for certain types of data in security operations?

    -Cold storage is valuable for storing less critical data that is not required for immediate analysis but may still be needed for forensic investigations or compliance purposes. By separating high-priority data from less important information, security teams can reduce costs while maintaining access to necessary data when required.

Outlines

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Mindmap

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Keywords

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Highlights

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Transcripts

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now
Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Related Tags
Security OperationsData FilteringMITRE ATT&CKThreat DetectionCybersecurityData DisciplineCost OptimizationSecurity AnalyticsEnterprise SecurityData ManagementCybersecurity Trends