Before starting any data security analysis, CISOs [chief information security officers] need to consider these questions, writes Mario Duarte, Vice President of Security, at the data cloud company Snowflake:
- Are there any false positives when security vendors flag threats?
- How are most production environment vulnerabilities introduced?
- How long does it take for remediation teams to roll out critical patches?
- How does that vary across different clouds?
These insights help to drive accountability, which has been in short supply in the security industry. CISOs, however, do not often have a unified view of what’s happening as information is spread across different systems and tools, and the data is not retained long enough to unlock valuable patterns and insights. Due to this lack of information, CISOs will often fail to hold vendors, teams, and processes accountable.
This is where data lakes come in to tackle these challenges, as an architecture that facilitates security data consolidation, regardless of quantity and variety. Data lakes enable security leaders, to drive real accountability across organisations in two ways. Firstly, it separates storage from compute to make it cost-effective to store security data at scale for longer. Secondly, it incorporates security data into part of a company’s general-purpose analytics platform, allowing additional context and delivering insights through standard reporting tools.
Here are examples for CISOs and security leaders to drive accountability via security data lakes.
Use data to evaluate vendors
Most companies select and evaluate security vendors based on simple criteria, like whether they support certain data sources and applications. A lack of information keeps decision-makers from evaluating vendors on more meaningful factors like threat detection performance or vulnerability prioritisation accuracy.
Security data lakes allow you to identify gaps between the insights vendors provide and what your organisation actually experiences. Analysing data from your ticketing system, for instance, allows you to see how many threats detected by a vendor were false positives, or how many vulnerability findings turned out to be irrelevant.
A security product may work great in other companies’ environments, but less well in your own. If you can measure performance across the metrics that matter to you, you can work with your vendor to help them improve — or determine that you need a better tool.
Adjusting the workflows
If remediation teams aren’t addressing vulnerabilities quickly enough on a consistent basis, access to historical data helps to uncover those problems and identify processes that may need updating to help them work more effectively. Maybe workflows need to be adjusted, for example, or the team needs to be restructured to meet its SLAs.
A security data lake allows you to apply context at query time from non-security sources. For example, you can combine termination data provided by HR with security access policies to flag when an employee has an active user ID after they’ve left the company. You can also correlate data about awareness trainings, phishing exercises, and actual malware cases to show how departments that don’t complete trainings are at greater risk of compromise.
Unified and transparent data
When teams are shipping new components into your infrastructure, a security data lake can help track where vulnerabilities are consistently coming from the same groups — whether that’s developers, SREs, or some other entity. This kind of insight is difficult to achieve when data is spread across multiple tools and stored for short periods of time. With quantified metrics backed by data, security teams can fulfil their role in a shared responsibility model.
Driving accountability to improve performance and security
The ultimate goal of accountability is to support teams to better do their jobs and raise businesses’ overall security profile, instead of driving down morale, and naming and shaming individuals. For security teams, they can only manage what is measured. There are increasingly complex threats for CISOs to tackle, as well as the higher standards by boards, regulators, and customers to keep up with. Driving accountability helps the entire team to succeed.
Snowflake is hosting a data cloud summit in San Francisco from June 3 to 6, 2024.
