One of the biggest problems cybersecurity teams face is the overwhelming uncertainty of situations as cyberattacks unfold. It’s hard to know what mitigations to work on first, which systems are most likely to risk business loss as threat rapidly moves across a network — and how to fix root problems as responders dig into an incident.

As security expert Derek Fisher opined in a recent
think piece in his blog Securely Built on this issue:

“Just as military commanders contend with the fog of war, cybersecurity professionals face their own version of a cloudy environment while defending organizations.The information moves quickly and it’s not always evident what the issue is and what the appropriate response should be.”

As Fisher laid it out in his post, there’s currently four pillars in a mature security leaders playbook for breaking through that fog:

• Situational awareness of the environment that’s fed from security telemetry from tooling like SIEM, IDS/IPS, EPP, and scanning tools,
• Threat intelligence to understand TTPs and targeting behavior to help drive prioritization of vulnerability management for those flaws most likely to be soon exploited,
• Incident response planning (and testing) to put action on rails and provide decision clarity during moments of chaos, and
• Anomaly detection with machine learning to identify and respond to threats more quickly and accurately.

These foundational pieces are not new to veteran security leaders. Most mature programs have all of these components deeply embedded into their frameworks. But many organizations still struggle to cut through the fog and make on-the-ground decisions that improve security outcomes because of difficulty with data science.

Here are  key challenges with the fog of war cybersecurity incidents — and four pillars for applying data science.

[ Get White Paper: Accelerate Your Suspicious File Triage ]

SecOps’ data science challenges

As Fisher acknowledged in his Substack post, security teams need analytical force multipliers to deal with all of the data streaming into the SOC from all of the security monitoring tools spread across the network and application stack. Beating back uncertainty during a fast-moving incident is not just a matter of looking at telemetry, but in getting fast snapshots at security insights to inform decisions.

That’s why threat intel and ML-based anomaly detection are part of those four pillars — they’re what helps enrich and contextualize the data. This is what turns visibility into prioritized action.

The problem is that there’s no one-size-fits-all defined set of telemetry data sources that’s going to work for every organization, no consensus on data formatting, no singular way to analyze security data, and no single perfect source of threat intel that can consistently transform everything into meaningful insights. Also, the bad guys regularly game the system to hide themselves in all of the security noise.

The four pillars are a great start at gaining clarity through the fog — but there’s also a lot of data science and data management work that needs to happen at the practitioner- and vendor-level to get it right, said Balazs Greksza, threat response lead at Ontinue.

Greksza said selecting the appropriate, high-quality data sources is the really key to helping leaders come to the right conclusions in the heat of the moment. “Security is a ‘right information and intelligence at the right time’ problem,” he said.

Here are four key pillars that can help your team break through security incidents with data science.

1. More effective data management

SOC teams need to pay close attention to data selection, data normalization, and data quality in order to feed not only their anomaly detection but also their decisioning automation. Otherwise they’re facing a garbage-in, garbage-out problem with any of the whiz bang security tools that make big claims with either automating or orchestrating security decisions in the heat of an incident.

Experienced SOC responders increasingly recommend to avoid taking a kitchen sink approach to adding new data sources — security teams need to take care to drive data selection with very clear objectives and requirements and layer that with solid data normalization practices, Greksza said.

“Data integrations should serve a purpose and having a perceived value beforehand to help prioritizing the meaningful ones. Following through data normalization and quality, integration and contextualization are also impacting both the effectiveness and overall capability of Security Operations teams.”
—Balazs Greksza

One of the thorniest issues that security operations (SecOps) teams face on this front are data quality problems. This is something that’s going to need more work from the vendor community to get right in the coming years, said Shane Shook, venture partner at Forgepoint Capital. Security operations depend on quality information. Automation for data ingestion for analysis is widely available, but automation for data quality is currently scarce, Shook said

“Simply excluding ‘unfit’ records in analytics pipelines leads to false negatives that can critically impede sequential analyses — such as the MITRE ATT&CK framework. While focus on derivative analytics continues to advance with ML and Generative AI, more fundamental focus on data completeness and quality is important.”
—Shane Shook

2. Better threat synthesis

There’s more opportunity for automation in SecOps around threat synthesis’for decision support, Shook said. ML is great for simple anomaly detection, but security teams need to find ways to better embed AI into modeling more complete threat scenarios, including business context and a synthesis of threat intelligence information, he said.

A recurring problem with threat intelligence management and related SecOps management is the lack of context describing the threat,’ Shook explained.

“The context of a threat detected by security operations is critical to assess in the context of risk it represents to targeted functions of the organization. AI offers opportunities for modeling varied risk context and threat scenarios at scales and magnitudes that are currently impossible for security operations teams who rely on manual analytics and interactive functional/operational team exercises.” 
—Shane Shook

Improved synthesis could drive improvements in security playbooks for incident response, he said.

3. Enhanced detection engineering

One of the issues with vendor-driven anomaly detection is that out-of-the-box tuning doesn’t specifically account for the unique threat landscape of each organization that’s using it, said Or Saya, cybersecurity architect for CardinalOps. “It is important to acknowledge that while AI detection rules in security products are valuable, they may not cover all scenarios,” Saya said. 

He recommends that SOC teams implement a detection engineering strategy for creating custom detection rules tailored to their environment, industry, and specific risks.

“These custom rules can enhance the precision of threat detection and response by addressing context-specific threats that may not be covered by generic AI rules.”
—Or Saya

4. Layering data science skills into SOC teams

Finally, SecOps teams need to think long-term about their data science skills mix. Many security departments depend solely on their vendors to do the data science heavy lifting, but achieving true excellence in data management and analytics is going to require at least basic levels of data science competence from internal staffers.

Greksza said he recommends hiring lifelong learners who are willing to start boning up on data science principles and maybe even helping them on that learning path with job rotations and cross-training support.

“Build cross-functional skills in your teams. Data scientists with security exposure and security experts with interest in data visualization and statistics excel delivering value together.”
—Balazs Greksza

A solid foundation is key

Fisher noted in his think piece that security teams are always going to be balancing the need to act swiftly with the risk of misjudging a situation because iron-clad information about what’s truly occurring during an incident is lacking. With core tooling fundamentals — and the data science pillars — your organization can provide better confidence in the insights provided by the security data to cut through the fog of cybersecurity war.

*** This is a Security Bloggers Network syndicated blog from Blog (Main) authored by Ericka Chickowski. Read the original post at: https://www.reversinglabs.com/blog/cybersecurity-fog-of-war-data-science