It’s time for security teams to embrace security data lakes

The average corporate security organization spends $18 million annually but is largely ineffective at preventing breaches, IP theft and data loss. Why? The fragmented approach we’re currently using in the security operations center (SOC) does not work.

Here’s a quick refresher on security operations and how we got where we are today: A decade ago, we protected our applications and websites by monitoring event logs — digital records of every activity that occurred in our cyber environment, ranging from logins to emails to configuration changes. Logs were audited, flags were raised, suspicious activities were investigated, and data was stored for compliance purposes.

The security-driven data stored in a data lake can be in its native format, structured or unstructured, and therefore dimensional, dynamic and heterogeneous, which gives data lakes their distinction and advantage over data warehouses.

As malicious actors and adversaries became more active, and their tactics, techniques and procedures (or TTP’s, in security parlance) grew more sophisticated, simple logging evolved into an approach called “security information and event management” (SIEM), which involves using software to provide real-time analysis of security alerts generated by applications and network hardware. SIEM software uses rule-driven correlation and analytics to turn raw event data into potentially valuable intelligence.

Although it was no magic bullet (it’s challenging to implement and make everything work properly), the ability to find the so-called “needle in the haystack” and identify attacks in progress was a huge step forward.

Today, SIEMs still exist, and the market is largely led by Splunk and IBM QRadar. Of course, the technology has advanced significantly because new use cases emerge constantly. Many companies have finally moved into cloud-native deployments and are leveraging machine learning and sophisticated behavioral analytics. However, new enterprise SIEM deployments are fewer, costs are greater, and — most importantly — the overall needs of the CISO and the hard-working team in the SOC have changed.

New security demands are asking too much of SIEM

First, data has exploded and SIEM is too narrowly focused. The mere collection of security events is no longer sufficient because the aperture on this dataset is too narrow. While there is likely a massive amount of event data to capture and process from your events, you are missing out on vast amounts of additional information such as OSINT (open-source intelligence information), consumable external-threat feeds, and valuable information such as malware and IP reputation databases, as well as reports from dark web activity. There are endless sources of intelligence, far too many for the dated architecture of a SIEM.

Additionally, data exploded alongside costs. Data explosion + hardware + license costs = spiraling total cost of ownership. With so much infrastructure, both physical and virtual, the amount of information being captured has exploded. Machine-generated data has grown at 50x, while the average security budget grows 14% year on year.

The cost to store all of this information makes the SIEM cost-prohibitive. The average cost of a SIEM has skyrocketed to close to $1 million annually, which is only for license and hardware costs. The economics force teams in the SOC to capture and/or retain less information in an attempt to keep costs in check. This causes the effectiveness of the SIEM to become even further reduced. I recently spoke with a SOC team who wanted to query large datasets searching for evidence of fraud, but doing so in Splunk was cost-prohibitive and a slow, arduous process, leading the team to explore alternatives.

The shortcomings of the SIEM approach today are dangerous and terrifying. A recent survey by the Ponemon Institute surveyed almost 600 IT security leaders and found that, despite spending an average of $18.4 million annually and using an average of 47 products, a whopping 53% of IT security leaders “did not know if their products were even working.” It’s clearly time for change.

There is no cybersecurity skills gap, but CISOs must think creatively

Those of us who read a lot of tech and business publications have heard for years about the cybersecurity skills gap. Studies often claim that millions of jobs are going unfilled because there aren’t enough qualified candidates available for hire.

I don’t buy it.

The basic laws of supply and demand mean there will always be people in the workforce willing to move into well-paid security jobs. The problem is not that these folks don’t exist. It’s that CIOs or CISOs typically look right past them if their resumes don’t have a very specific list of qualifications.

In many cases, hiring managers expect applicants to be fully trained on all the technologies their organization currently uses. That not only makes it harder to find qualified candidates, but it also reduces the diversity of experience within security teams — which, ultimately, may weaken the company’s security capabilities and its talent pool.

At Netskope, we take a different approach to staffing for security roles. We know we can teach the cybersecurity skills needed to do the job, so instead, there are two traits we consider more important than specific technical expertise: One is a hunger to learn more about security, which suggests the individual will take the initiative to continuously improve their skills. The other is possession of a skill set that no one else on our security team has.

Overemphasis on technical skills creates an artificial talent shortage

To understand why I believe our approach has helped us build a stronger security team, think about the long-term benefits of hiring someone with a specific security skill set: How valuable will that exact knowledge be in several years? Probably not very.

The problem is not that these folks don’t exist. It’s that CIOs or CISOs typically look right past them if their resumes don’t have a very specific list of qualifications.

Even the most basic security technologies are incredibly dynamic. In most companies, the IT infrastructure is currently in the midst of a massive transition from on-premises to cloud-based systems. Security teams are having to learn new technologies. More than that, they are having to adopt an entirely new mindset, shifting from a focus on protecting specific pieces of hardware to a focus on protecting individuals and applications as their workloads increasingly move outside the corporate network.

Who’s funding privacy tech?

Privacy isn’t dead, as many would have you believe. New regulations, stricter cross-border data transfer rules and increasing calls for data sovereignty have helped the privacy startup space grow thanks to an uptick in investor support.

This is how we got here, and where investors are spending.

The rise of privacy tech

With strict privacy laws such as GDPR and CCPA already listing big-ticket penalties — and a growing number of countries following suit — businesses have little option but to comply. It’s not just bigger, established businesses offering privacy and compliance tech; brand-new startups are filling in the gaps in this emerging and growing space.

“For the last decade, privacy tech was trumpeted as one of the next ‘big things’ for investors, but never delivered. Startup business models were too academic, complex and did not appeal to VCs, or crucially, consumers were used to getting free web services,” Gilbert Hill, chief executive at Tapmydata, told Extra Crunch.

Some privacy companies — including privacy hardware companies — are chasing profits and less focused on hustling for outside investment.

Today, privacy is big business. Crunchbase lists 207 privacy startups (as of April 2021) that have together raised more than $3.5 billion over hundreds of individual rounds of funding. The number of privacy companies rockets if you take into account enterprise privacy players. Crunchbase currently has 809 listed under the wider “privacy” category.

The latest Privacy Tech Vendor Report 2021 names 356 companies exclusively dealing in enterprise privacy technology solutions, up from 304 companies a year earlier.

“Since 2017, the privacy landscape underwent a metamorphosis,” the report said. “The emergence of the California Consumer Privacy Act, Brazilian General Data Protection Law and other privacy laws around the world have forced organizations to adhere to a new array of compliance requirements, and in response, the demand for privacy tech grew exponentially.”

That also presents an opportunity for investors.

Increasing investments

Privacy tech was catching the attention of investors even before the recent wave of new privacy laws came into effect. The sector amassed nearly $10 billion in investment in 2019, according to Crunchbase, compared to just $1.7 billion in 2010. Investments remained active in 2020, despite the pandemic.

Case in point: In December, enterprise privacy and compliance firm OneTrust announced a $300 million Series C funding. The deal valued the 4-year-old privacy tech firm at $5.1 billion, making it one of the first modern privacy unicorns. Three months later, it extended its Series C funding, with SoftBank Vision Fund 2 and Franklin Templeton pumping in another $210 million.

Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

How startups can ensure CCPA and GDPR compliance in 2021

Data is the most valuable asset for any business in 2021. If your business is online and collecting customer personal information, your business is dealing in data, which means data privacy compliance regulations will apply to everyone — no matter the company’s size.

Small startups might not think the world’s strictest data privacy laws — the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) — apply to them, but it’s important to enact best data management practices before a legal situation arises.

Data compliance is not only critical to a company’s daily functions; if done wrong or not done at all, it can be quite costly for companies of all sizes.

For example, failing to comply with the GDPR can result in legal fines of €20 million or 4% of annual revenue. Under the CCPA, fines can also escalate quickly, to the tune of $2,500 to $7,500 per person whose data is exposed during a data breach.

If the data of 1,000 customers is compromised in a cybersecurity incident, that would add up to $7.5 million. The company can also be sued in class action claims or suffer reputational damage, resulting in lost business costs.

It is also important to recognize some benefits of good data management. If a company takes a proactive approach to data privacy, it may mitigate the impact of a data breach, which the government can take into consideration when assessing legal fines. In addition, companies can benefit from business insights, reduced storage costs and increased employee productivity, which can all make a big impact on the company’s bottom line.

Challenges of data compliance for startups

Data compliance is not only critical to a company’s daily functions; if done wrong or not done at all, it can be quite costly for companies of all sizes. For example, Vodafone Spain was recently fined $9.72 million under GDPR data protection failures, and enforcement trackers show schools, associations, municipalities, homeowners associations and more are also receiving fines.

GDPR regulators have issued $332.4 million in fines since the law was enacted almost two years ago and are being more aggressive with enforcement. While California’s attorney general started CCPA enforcement on July 1, 2020, the newly passed California Privacy Rights Act (CPRA) only recently created a state agency to more effectively enforce compliance for any company storing information of residents in California, a major hub of U.S. startups.

That is why in this age, data privacy compliance is key to a successful business. Unfortunately, many startups are at a disadvantage for many reasons, including:

  • Fewer resources and smaller teams — This means there are no designated data privacy officers, privacy attorneys or legal counsel dedicated to data privacy issues.
  • Lack of planning — This might be characterized by being unable to handle data privacy information requests (DSARs, or “data subject access requests”) to help fulfill the customer’s data rights or not having an overall program in place to deal with major data breaches, forcing a reactive instead of a proactive response, which can be time-consuming, slow and expensive.

Hack takes: A CISO and a hacker detail how they’d respond to the Exchange breach

The cyber world has entered a new era in which attacks are becoming more frequent and happening on a larger scale than ever before. Massive hacks affecting thousands of high-level American companies and agencies have dominated the news recently. Chief among these are the December SolarWinds/FireEye breach and the more recent Microsoft Exchange server breach. Everyone wants to know: If you’ve been hit with the Exchange breach, what should you do?

To answer this question, and compare security philosophies, we outlined what we’d do — side by side. One of us is a career attacker (David Wolpoff), and the other a CISO with experience securing companies in the healthcare and security spaces (Aaron Fosdick).

Don’t wait for your incident response team to take the brunt of a cyberattack on your organization.

CISO Aaron Fosdick

1. Back up your system.

A hacker’s likely going to throw some ransomware attacks at you after breaking into your mail server. So rely on your backups, configurations, etc. Back up everything you can. But back up to an instance before the breach. Design your backups with the assumption that an attacker will try to delete them. Don’t use your normal admin credentials to encrypt your backups, and make sure your admin accounts can’t delete or modify backups once they’ve been created. Your backup target should not be part of your domain.

2. Assume compromise and stop connectivity if necessary.

Identify if and where you have been compromised. Inspect your systems forensically to see if any systems are using your surface as a launch point and attempting to move laterally from there. If your Exchange server is indeed compromised, you want it off your network as soon as possible. Disable external connectivity to the internet to ensure they cannot exfiltrate any data or communicate with other systems in the network, which is how attackers move laterally.

3. Consider deploying default/deny.

Startups must curb bureaucracy to ensure agile data governance

By now, all companies are fundamentally data driven. This is true regardless of whether they operate in the tech space. Therefore, it makes sense to examine the role data management plays in bolstering — and, for that matter, hampering — productivity and collaboration within organizations.

While the term “data management” inevitably conjures up mental images of vast server farms, the basic tenets predate the computer age. From censuses and elections to the dawn of banking, individuals and organizations have long grappled with the acquisition and analysis of data.

By understanding the needs of all stakeholders, organizations can start to figure out how to remove blockages.

One oft-quoted example is Florence Nightingale, a British nurse who, during the Crimean war, recorded and visualized patient records to highlight the dismal conditions in frontline hospitals. Over a century later, Nightingale is regarded not just as a humanitarian, but also as one of the world’s first data scientists.

As technology began to play a greater role, and the size of data sets began to swell, data management ultimately became codified in a number of formal roles, with names like “database analyst” and “chief data officer.” New challenges followed that formalization, particularly from the regulatory side of things, as legislators introduced tough new data protection rules — most notably the EU’s GDPR legislation.

This inevitably led many organizations to perceive data management as being akin to data governance, where responsibilities are centered around establishing controls and audit procedures, and things are viewed from a defensive lens.

That defensiveness is admittedly justified, particularly given the potential financial and reputational damages caused by data mismanagement and leakage. Nonetheless, there’s an element of myopia here, and being excessively cautious can prevent organizations from realizing the benefits of data-driven collaboration, particularly when it comes to software and product development.

Taking the offense

Data defensiveness manifests itself in bureaucracy. You start creating roles like “data steward” and “data custodian” to handle internal requests. A “governance council” sits above them, whose members issue diktats and establish operating procedures — while not actually working in the trenches. Before long, blockages emerge.

Blockages are never good for business. The first sign of trouble comes in the form of “data breadlines.” Employees seeking crucial data find themselves having to make their case to whoever is responsible. Time gets wasted.

By itself, this is catastrophic. But the cultural impact is much worse. People are natural problem-solvers. That’s doubly true for software engineers. So, they start figuring out how to circumvent established procedures, hoarding data in their own “silos.” Collaboration falters. Inconsistencies creep in as teams inevitably find themselves working from different versions of the same data set.

Bring CISOs into the C-suite to bake cybersecurity into company culture

When you think of the core members of the C-suite, you probably think of the usual characters: CEO, CFO, COO and maybe a CMO. Each of these roles is fairly well defined: The CEO controls strategy and ultimately answers to the board; the CFO manages budgets; the CMO gets people to buy more, more often; the COO keeps everything running smoothly. Regardless of the role, all share the same objective: maximize shareholder value.

But the information age is shaking up the C-suite’s composition. The cyber market is exploding in an attempt to secure the modern enterprise: multicloud environments, data generated and stored faster than anyone can keep up with and SaaS applications powering virtually every function across the org, in addition to new types of security postures that coincide with that trend. Whatever the driver, though, this all adds up to the fact that cyber strategy and company strategy are inextricably linked. Consequently, chief information security officers (CISOs) in the C-Suite will be just as common and influential as CFOs in maximizing shareholder value.

As investors seek outsized returns, they need to be more engaged with the CISO beyond the traditional security topics.

It’s the early ’90s. A bank heist. A hacker. St. Petersburg and New York City. Offshore bank accounts. Though it sounds like the synopsis of the latest psychological thriller, this is the context for the appointment of the first CISO in 1994.

A hacker in Russia stole $10 million from Citi clients’ accounts by typing away at a keyboard in a dimly lit apartment across the Atlantic. Steve Katz, a security executive, was poached from JP Morgan to join Citi as part of the C-suite to respond to the crisis. His title? CISO.

After he joined, he was told two critical things: First, he would have a blank check to set up a security program to prevent this from happening again, and second, Citi would publicize the hack one month after he started. Katz flew over 200,000 miles during the next few months, visiting corporate treasurers and heads of finance to reassure them their funds were secure. While the impetus for the first CISO was a literal bank heist, the $10 million stolen pales in comparison to what CISOs are responsible for protecting today.

Why ‘blaming the intern’ won’t save startups from cybersecurity liability

SolarWinds is back in hot water after a shareholder lawsuit accused the company of poor security practices, which they say allowed hackers to break into at least nine U.S. government agencies and hundreds of companies.

The lawsuit said SolarWinds used an easily guessable password “solarwinds123” on an update server, which was subsequently breached by hackers “likely Russian in origin.” Former SolarWinds chief executive Sudhakar Ramakrishna, speaking at a congressional hearing in March, blamed the poor password on an intern.

There are countless cases of companies bearing the brunt from breaches caused by vendors and contractors across the supply chain.

Experts are still trying to understand just how the hackers broke into SolarWinds servers. But the weak password does reveal wider issues about the company’s security practices — including how the easily guessable password was allowed to be set to begin with.

Even if the intern is held culpable, SolarWinds still faces what’s known as vicarious liability — and that can lead to hefty penalties.