The Next Wave of Cybersecurity
Learn more at Carah.io/Cyber-Corelight
The case for open,
data-driven cybersecurity
Agencies are turning to data-rich — and often open source-based tools — for security insights
IN THE PAST 10 years, cybersecurity best practices moved from protection to detection and response. Today, the lens is refocusing again on data-driven security. Incident response
teams, threat hunters and security operations centers need visibility into what’s happening on their networks so they can make fast sense of their traffic and move at the speed of attacks.
At the federal level, the shift toward data-centric defense can be seen in both agencies’ adoption of the National Institute of Standards and Technology’s Risk Management Framework and the use of Zeek, an open-source network analysis framework, by agencies as diverse as the Energy and Defense departments.
Gathering all the right data
Data-centric security relies on the right data. Without that, it’s a herculean effort to understand what’s going on. There are three key data sources, which play different roles: Threat intelligence gives agencies an external perspective, the network provides both breadth across the organization and an unalterable record of events, and the endpoint gives depth.
For a high-level, strategic view, agencies need to have all three of those bases covered. If they don’t, it will take significantly longer to find threats, and some won’t be discovered. That puts organizations in the difficult position of not knowing what they don’t know.
Open source-based tools are crucial for ensuring that agencies have good data to work with when building a defensive program. Such tools provide data that is adaptable, extensible and often irreplaceable. If the right information isn’t in the raw data, no amount of post-processing or analytics will ever compensate for that.
Furthermore, when agencies customize data and detections to their own environments, attackers can’t test them in advance as they can with fixed commercial tools, which strengthens overall defense.
Addressing alert fatigue
Unfortunately, many organizations have become data-light and alert-heavy. They are overwhelmed with false positives and the challenge of knowing how to respond.
Fortunately, the right data can help agencies fine-tune the alerting systems they already have.
For example, an initiative from the open-source community can
Brian Dye
 
help agencies connect their existing technologies. Community ID
is a common way to identify a network flow across security tools such as Suricata, Elastic and Zeek. This incredibly simple approach uses data to connect alerts directly to the data needed to investigate them, helping defenders do their jobs better.
In this data-centric world, there are many tools and techniques for creating, extending and analyzing data. As you make the data-driven shift, we recommend leveraging the expertise of the open-source community to accelerate your efforts.
Brian Dye 
A master record of events
for your network traffic.
Our network sensors continuously monitor your trac, transforming packets into rich insights that accelerate incident response and
unlock new threat hunting capabilities. From the creators of Bro/Zeek:
www.corelight.com | 1-888-547-9497 | San Francisco, CA
NIST RMF • CDM • FIPS
S-36 SPONSORED CONTENT