Today’s security leaders face many challenges. There’s more than enough data flowing from the overlapping tools that comprise their security stacks. The challenge is cost-effectively transforming all that data into measurements that continuously nurture actionable insights.
These insights are the fuel that powers enterprise security performance and productivity. They are also the keys that enable security leadership to unlock demonstrable security program value.
Yet getting insights from the flood of data flowing from multiple security tools in multiple formats and multiple sources…it’s not a simple task.
When it comes to leveraging security data to manage operations, organizations currently choose one of three options:
1. Manual collection and analysis of data from the security stack
Relevant Subject Matter Experts (SMEs) or operations teams export data and ship it to you. Then, you conduct your manual analysis on it with the tools you’ve already got in place and manage it all in Excel. The problem here is that this leaves your SMEs doing data analysis for long stretches of time – when in cybersecurity what most organizations need is an all hands on deck. Plus, by the time all that’s done, you’re looking at last week’s insights, if you’re lucky. More likely, last month’s.
Many organizations choose to outsource their security analytics programs to consulting companies. This requires a team dedicated to your organization who will work with your SMEs to extract and analyze the data and ultimately send you a report based on their findings. This report is generally accurate – to the date you sent them the data, which is usually at least several months previous. And the price tag is so steep that most organizations can’t afford to generate a report like this more than once a year.
3. Homegrown metrics programs
With this option, which is currently favored by many organizations (with the resources available), you create a pipeline that automatically shifts data from each of the tools in your security stack to one central place – what’s being called a security data lake. Then, you normalize the data, decide how and what to measure, use your existing BI tools to analyze, and presto, insights! Right?
Building homegrown metric programs is a lot harder than you’d think.
Here’s what it takes...
#1 Creating a security data lake
A security data lake is essentially a single repository for all cybersecurity data, structured and unstructured. It’s potentially a single source of cybersecurity truth – one of the key building blocks of insights. And it’s a great way to ingest, organize, store, and manage data flowing from your security stack.
At the same time, any data lake is in danger of turning into a data swamp, if mismanaged. An enterprise security stack requires a big data pipeline, big data storage, and big data analysis tools. Analysis conducted with SIEM tools – which are not optimized for big data analysis – won’t cut it.
#2 Normalizing the data
If you manage to get resources to build that pipeline, you are halfway there. The thing is that security tools produce a lot of "noisy" data and have different data structures and different terminology.
Each security product can produce the same data in different ways, so, the data analysts will need to figure out how to ensure you’re measuring the same thing, using data from different sources.
The problem is that data engineers and data analysts are data experts, not security experts. They’ll need the SMEs to provide the security context. For example, they’d need to know that Intune can populate the same device twice, for various reasons, like if a user upgraded his or her OS version.
They’d have to accurately correlate data from different tools to enrich the measurements and metrics which would otherwise be simply inaccurate, incomplete, and therefore are not actionable.
So now, once again, SMEs need to be involved. They’ll need to spend time cleaning and putting context with the analysts and as a result the organization loses valuable security resources that are instead being spent on data analytics.
#3: Deciding what to measure
There is not one standard for what and how to measure what counts as ‘good’ or ‘bad’ KPIs, and how to make findings clear to non-technical stakeholders.
You want to measure what matters, as well as what you want to improve. You don’t want measurements that just produce noise – the type that, even if you improve them, don’t actually improve your security posture or security stack performance.
Untangling this knot takes ongoing input from the CISO, the deputy CISO, operational heads and analysts. These stakeholders and their teams all need to be aligned on what’s being measured, what they gain from these measurements, how to use the metrics derived from the measurements, and how to translate these into action items and priorities based on the relevant business objectives. They'd also benefit tremendously from knowing how others in the industry are measuring and benchmarking, and what is being defined as good vs bad, information that is currently not accessible to them.
However you choose to work, metrics programs are a strategic organizational resource and a significant time and capital investment. That is, unless you automate the entire process with a Cybersecurity Performance Management (CPM) platform.
For the first time and finally, CPM platforms allow you to work with data – derived directly from your stack – in an organized manner. You can keep a constant pulse of your operations with automatic, customizable, off-the-shelf solutions that do it all for you.
Take SeeMetrics, for example.
Our solution handles all the steps above, out-of-the-box. It consolidates data directly from the security stack, into a security data lake, and normalizes it, offering a comprehensive list of metrics and thresholds born of deep research and benchmarking with hundreds of CISOs. With SeeMetrics, you can customize the thresholds and adjust your views based on the relevant context and zoom in and out of the macro level performance and the underlying metrics that explain them. Finally, you can gain the insights you need to validate your security programs, build your roadmap and ensure enterprise security without having to invest huge resources and time to get there. And, it’s all in real-time.