By Rahim Jina, COO and Co-Founder, edgescan –
Data, data everywhere but few bits still of use. This is one big problem that today’s organizations, no matter what size, struggle with: the oversaturation of data.
Organizations face a virtual hosepipe of data when attempting to protect themselves and their customers. Being able to get meaningful information out of this pipe is key. This is a common theme, frequently recited and discussed. Even at the recent RSA Conference 2019 in San Francisco, we found this topic and problem is still relevant: How can we reduce the white noise and turn that hosepipe to a trickle of refined information?
Part of this problem may stem from the human condition of being impressed by and expecting “more.” Many of the security tools that you may have used tend to be very “noisy” right out of the box, offering much data, but oftentimes little accurate information. Unfortunately, this paradigm is common across the security industry. We are conditioned as consumers to expect large reports, or to be presented with vast data sets, the thinking being that more is better, regardless of how trivial, inaccurate or even meaningless the information is.
If we receive a small report with few findings, or we are presented with a near-empty dashboard, we believe something must be wrong, or the service/product must not be any good. It really is hard to think of any other industry in which the user is happy to pay the bill for a service or product that may contain mostly inaccurate information.
Increased risk in new D2C products
With the convergence afoot in traditional media and telecommunications organizations and the move to start direct-to-consumer internet-based services, these industries face new risks and challenges. One problem specific to the media industry is that internet assets can be transient in nature, only being relevant for days to months. Therefore, traditional methodologies for securing these systems are not as relevant. Moving from one-way engagement with consumers to full two-way interaction introduces additional risks which may not be familiar, giving rise to an increased attack surface and compliance obligations.
We know there is a big difference between data and information, so where do we start? One useful approach is to engage in a two-step process. We need to process the data in order to greatly reduce the level of white noise. This could be done utilizing clever algorithms, signatures or even a degree of AI (or more accurately, machine learning).
These solutions, however, are nowhere near as sophisticated as they are being marketed as by the security industry.
Once we are left with real data, we need to understand that not all of it is useful. What is useful is being able to categorize this data and to apply modern risk management methodologies to it, informed by experience and business context. (Context is key!) Then we can prioritize the data set to produce actionable intelligence that can provide a pragmatic pathway for an organization to improve its security posture.
Start small, but have a plan
Even with your own tooling, a useful approach is to turn the tap on slowly. Rather than testing or attempting to find every issue, why not focus on a small subset of critical or highrisk types of issues only? Once this has been embedded for a period of time and both operations and development are happy with the process, results and remediation, then enable more tests and widen the ruleset. Iteratively refine, tune and retune.
In the world of vulnerability management, not all vulnerabilities are created equal. Even the same type of issue will present different risks to an organization depending on a number of factors, such as the type of system it was found in, where in the system it was found and what that system is connected to. Moving to a hybrid of traditional penetration testing and vulnerability management, coupled with high frequency, regular or on-demand testing, can help provide an organization with meaningful. Intelligent and actionable data.
Rather than being conditioned around negative security (more is less), we need to move towards positive security (less is definitely more!).