The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS) are improving data access and posture to mitigate cybersecurity risks, leaders said during an ATARC virtual event.
“One of the largest challenges is to ensure that you actually have, hands on, all of the data that you need to actually have the awareness of your environment, the kinds of security risks that you have in it and how you’re able to ensure that you can patch change configurations to mitigate risks in your environment,” Blair Heiserman, NIST’s CISO, said in describing the challenges his agency faces in the modern-day security operations center environment.
Bobby Miller, CISO at HHS’ Office of Inspector General, explained that one of the biggest challenges at his office is training the workforce to perform security analysis across different data sets, then transforming that data into actionable insights.
“Moving forward, particularly as we start talking more about extended detection and response (XDR), I think behavioral analytics will become essential to provide that holistic view to security analysts — being able to look across devices, applications on your network — that's going to be invaluable,” Miller said.
With the continual growth of data, XDR will enable agencies and organizations to improve incident response. XDR collects and automatically correlates data across multiple security layers, ultimately enabling faster detection of threats and improved investigation and response times through security analysis.
For XDR to be effective, Heiserman said that organizations must be able to ingest different data sources across different locations, including cloud, containerized solutions, endpoints and more, to build out posture awareness. It all comes down to capturing the right data at the right time to distill proper mitigation measures and improve detection. Miller said that XDR should take a cross-organizational approach to ensure alignment of implementation and improve security.
“You need to have near real-time data about your environment. That is how you get to a continuous ATO state, where you are aware of the risks in your environment, so you can continue to authorize systems for use. But you also need telemetry data, and you need it combined with other data sets because you have a wealth of information hitting every individual endpoint, every application, and by being able to stitch the analysis across the data sets from each of those, it provides an awareness,” Heiserman said.
Telemetry is the automated communication processes from multiple data sources. Telemetry data is used to improve customer experiences, monitor security, application health, quality and performance. Agencies are looking to leverage this data to improve incident response time.
“Having that telemetry data is critical for your security analysts ... Having the ability to have data at your fingertips, when you need it is essential,” Miller said. “When you start talking about pulling these data sets together, being able to instantly respond to an incident and track it down, you have to have that data.”
By “stitching” data together, Heiserman explained that organizations will be able to recognize new or unexpected correlations across multiple technology solutions. This technique will provide organizations with a baseline to compare risk and expose malicious activity.
“Now, you’re starting to see things that previously you could feed it in, but you had to have someone go and look to pull out a thread from an incident. I think that’s the potential promise. As it all gets stitched together, it’s telling you that ‘this is one you should be concerned about’ and ‘this is not,’” Heiserman said.
Moving forward, NIST is emphasizing the importance of developing data standards to have a shared language. Data standards will help focus and prioritize the workforce and resources on the most important threats or vulnerabilities, as well as improve risk-based decision-making.
“NIST is a standards organization, so obviously we’d love for people to abide by standards that makes integration easier ... so you're speaking about the same vulnerability, the same exposure. It makes sure that everyone is talking at the same level of criticality about something in their environment, which helps focus and prioritize,” Heiserman said.