John Smith, principal solution architect at Veracode, discusses the responsibility of vendors to ensure that cybersecurity analytics data is actionable.
As the number and complexity of cyber threats evolve, so have the security methods deployed to tackle them. Traditional automated solutions, such as simple vulnerability scanning or anti-virus solutions, are increasingly challenged by emerging threats, and many companies are now looking to analytics to help fine tune their cybersecurity. Cyber security analytics are beginning to play an important role in companies’ cybersecurity programmes. But with a different analytics package for every layer of the IT environment, many IT directors are overwhelmed by the high quantity of data. As a results, much of the potential of these programmes is lost in a data deluge with reduced results.
Too much data
The mass of data churned out by cyber analytics, coupled with little understanding of how to determine its actionable insights, is posing a significant problem to many IT teams. Security information and event management (SIEM) technology, which provides real-time analysis and generates security alerts for issues discovered across network hardware and applications, is one such technology which remains at the core of many cybersecurity strategies yet increasingly struggles to provide actionable intelligence. The Internet of Things, Cloud and BYOD (bring your own device) have driven up the size of IT environments and the amount of data it holds. This has resulted in SIEM tools merely flagging more alerts, with no prioritisation or intelligence on how to mitigate these threats. As a result, these often go ignored, providing no great value to the team nor improving the company’s cyber defences.
Few companies have the resources to analyse, prioritise and action the massive quantity of data and noise that cyber analytics throws up. Instead, these programmes must look to provide valuable insight to give the security team the best chance at securing its IT environment.
Acting on principle
Before the security team can begin to effectively action the cyber analysis, it’s crucial that they understand the security principles behind the threat. Application security is, in this sense, especially difficult to action due to there being no standards defining which criticality of defects are acceptable, what an acceptable security flaw density is, or even what remediation timeframe is adequate.
Application analytics programmes have an important role for security teams in detecting flaws, but many solutions are just throwing up numbers and alerts without context. In a threat space which continues to grow in sophistication and size – but where the understanding of the landscape is relatively poor – the lack of actionable information could lead to disastrous consequences for businesses.
Getting the principles of application security right is crucial, and many of our tuned-in customers look to us to help them benchmark their performance to gauge the standard of their security measures. When asking whether a company has more serious security vulnerabilities than its peers, or if it remediates a higher percentage of vulnerabilities than its peers, many organisations face a startling wake-up call.
With many businesses still only assessing a small percentage of their applications, this actionable insight is essential to ensure that they are making the right decision when it comes to their cyber defences.
Benchmark
With no clear standards around application security, benchmarking is an essential means of deriving actionable insights from analytics data. As such, earlier this year Veracode launched its State of Software Security report to provide companies with an understanding of benchmarks across different industries, looking at the percentage of compliant applications that companies have on their networks. The financial services industry demonstrated its clear grasp of the current standards for software security with 42 percent of their applications compliant with the OWASP Top 10 Policy (the widely accepted standard for application security) on first risk assessment.
While positive for the industry’s cyber confidence as a whole, this report serves as more than an accolade for successful companies. Rather, it displays that any financial services companies with a far lower percentage of compliant applications that significantly more work needs to be done to reach the industry standard for software security. And while the CISO or IT director may already be aware of this, this benchmark allows them to demonstrate to the board that further investment is needed in this area to ensure a suitable level of security.
With every IT environment comes its own unique strengths and weaknesses, but analytics has the potential to revolutionise how we approach cybersecurity. Providing clear analysis of the networks, endpoints and applications can help IT directors move away from the expensive and excessive one-size-fits-all approach to cybersecurity, and adopt an adapted programme for the company’s personal needs instead.
However, we need to decode cybersecurity analytics before we can achieve this and ensure the intelligence is actionable. The security industry has a responsibility to ensure that customers using analytics programmes have the tools to formulate usable insight. Rather than adding to the noise and confusion, we must it break down so that, with little interpretation, it has a practical purpose for an organisation.
