Improving Cyber Security Operations

through Security Data Discipline

Dr. Greg Rattray
Partner/Co-Founder Next Peak LLC

© Next Peak Holdings, LLC 2020

Background

• Former Global Chief Information

Security Officer (CISO) JP Morgan
Chase led major cyber uplift and
successful breach response
• Former Chief Security Advisor for the
Internet Corporation for Assigned
Names and Numbers (ICANN)
• Founder of Delta Risk Consulting
• Served as Director for Cybersecurity
on the US National Security Council
Greg Rattray, Ph D.
• Commanded the Air Force Information
Colonel, USAF, (Ret)
Partner/Co-Founder
Warfare Center Operations Group
Next Peak LLC • Established the Advanced Persistent
Threat (APT) concept and US national
cyber exercise program

2
© Next Peak Holdings, LLC 2020
Increasing Security Operations Challenges
On-going technological changes, accelerated by remote work

Security devices

Endpoint detection Workstations, endpoints

Syslog Cloud services, apps

Security Teams
Firewalls Servers

Creates security data-related challenges, reduces effectiveness

3
© Next Peak Holdings, LLC 2020
Security Data Discipline Overview
Data Sources

Syslog

Data discipline uses pipeline

technology and leverages Pipeline
MITRE ATT&CK as a filtering
framework to:
• Filter low-quality data S3

• Parse and enrich events

• Securely route to destinations
• Maintain visibility
• Alert on failure states

Empower security teams with insight and expertise

to accurately identify and combat threats 4
© Next Peak Holdings, LLC 2020
 Data Complexity: Increases Cost and Risk
Extraordinary Quantity
Massive Data Volume
1-6 terabytes/day at large
enterprises
Inconsistent Quality
Unstructured Data
Proprietary formats, no context
High data indexing and retention costs
Retaining large amounts of useless data that is
expensive to store (e.g. Splunk, S3)
Poor security tool performance
SIEM and aggregator search and reporting;
reduced SOAR automation effectiveness
Poor visibility into low quality data sources
Unstructured, unenriched, uncontextualized data,
often in vendor-specific or machine-only codes
Poor response to transient failure states
Dead feeds mean lost visibility, cost spikes can get
expensive quickly
5
© Next Peak Holdings, LLC 2020
How Security Data Discipline Can Help
• Filter events and parse unnecessary and useless
Reduce data volume fields, while retaining high quality data
through filtering • Reduces overall number of events and size of
events, reducing storage costs

Improve data • Improve data quality by adding context to

events and enriching data in the pipeline
quality, increase
• Improve workload automation with extraction
analytic efficiency Refocus teams towards
and normalization of data
operational efficiency
Improve response • Improve query speed and quality
time and • Incorporate custom real-time alerts for failure
effectiveness states like dead feeds or cost spikes

• Reduce complexity in complementing areas

Reduce data • Consolidate and reduce tools for efficient data
complexity formats, eliminate low value fields

• Decrease time and switching costs of new tech Reduce data storage costs
Makes new tech adoption, increase security
adoption easier • Data discipline creates a consistent vendor
neutral pipeline and uniform source on-boarding
6
© Next Peak Holdings, LLC 2020
Implementation and Findings

15%
Data reduction with no
lost information, meaning
no tradeoffs

40-60%
Possible data reduction
with minor tradeoffs

~$1 MM
Cost reduction per
petabyte of data
Disciplining data saves costs and analyst time, processed annually

creating security reinvestment opportunities

7
© Next Peak Holdings, LLC 2020
Data Discipline and MITRE ATT&CK
Leverage MITRE • Have access to correct raw data to show adversary behavior to security
teams – easy to find adversary techniques in ATT&CK
ATT&CK to refine
• Extend framework to map known data sources to TTPS and sub-techniques
data selection
• Identified tactics map down to the type of event log created

ATT&CK has suggestions,

expanding it with new
data source initiative,
elevate the level of
specificity through
experience and expertise

8
© Next Peak Holdings, LLC 2020
Where we are today
Initial development
Approach developed as part of
Columbia University’s
CyberNYC Investors to
Founders Program
Partnered with technology
providers for proof-of-concepts
Pilot/analysis projects
Completed pilot project with
partner MSSP:
• Successfully completed
proof-of-concept and
implementation plan
• Collected tangible data on
efficiencies created
• Conducting post-mortem
and creating final
assessment
Initiating second wave of
analysis on standard Window
Active Directory and logs
Next steps
Build an open source
community effort to develop
concept further
• Looking to partner with
security operations centers,
MSSPs & security device
providers
Build data sources into MITRE
ATT@CK framework with
community
9
© Next Peak Holdings, LLC 2020
Questions?
greg.rattray@nextpeak.net