Perspectives

Outpace Threats with Data-Driven Cybersecurity

Automate and accelerate insights and operations

Every day, new innovative cyber threats stealthily target federal networks and critical infrastructure. At great cost, defenders have deployed scores of complex cybersecurity tools that emit and absorb data on a mind-boggling scale. Now, untamed terabytes of disparate data fatigue security analysts with false alarms—and multimillion-dollar annual data storage costs make it hard for agencies to retain data for the long term. To get ahead of the threats, organizations must stop drowning in their own data and start collecting, managing, and using all this information to full advantage.

Federal Civilian Executive Branch (FCEB) agencies have millions of endpoints—and since tooling for detecting and responding to threats often exceeds minimum requirements, the total data volume could top 125 terabytes per day. Dealing with such vast and varied data demands a new approach—data-driven cybersecurity. This goes well beyond deploying controls, dealing with indicators of compromise, and heeding recent federal guidance on advanced data-logging requirements. Organizations must also link datasets of many kinds to detect patterns of malicious behavior. In this way, they can better anticipate, prevent, detect, and respond to emerging threats.

Today, many security teams can’t make the most of their data and hence can’t deliver value for the entire organization. Teams are forced to choose which data to collect when technology advancements and security budgets are out of sync. And that means agencies and critical infrastructure entities are losing ground to worsening digital threats—because they aren’t using data as an asset.

Data can be a superweapon to achieve strategic priorities and safeguard critical missions with advanced cyber defenses. But that requires novel ways of sharing information—and enabling collective thinking—to distill actionable insights. And that means focusing more on data analytics, artificial intelligence (AI), and machine learning (ML). In a recent Booz Allen-commissioned survey of 175 individuals involved in the development, analysis, and review of U.S. cybersecurity practices and policies, more than half of respondents rated cyber data analytics (63%) and cyber-focused AI/ML (58%) among the most important aspects of cybersecurity.

What is Data-Driven Cybersecurity?

Here’s the good news: Organizations can overcome information overload. Adopting data-driven cybersecurity is about figuring out how to extract, normalize, and apply data to accelerate security operations—ideally faster than adversaries. Analytics and AI technology can help the government obtain a holistic view of the federal cybersecurity ecosystem.

Along the way, agencies may need to leverage outside technical expertise. In the survey, most respondents (60%) said they had limited knowledge of cyber data analytics. And respondents were roughly split on whether they had limited or substantial knowledge of cyber-focused AI and ML. Respondents included mostly federal and military personnel, as well as stakeholders in think tanks, non-governmental organizations, lobbying roles, and the legislative branch.

Data-driven cybersecurity, bounded by strategic business objectives, leverages talent and technology to deliver value across entire organizations—for instance, by equipping various internal teams with shared awareness of vital data. This requires a culture change, which is enabled, in part, by an integrated approach that lets security functions jointly overcome challenges with the right capabilities, management, and architecture tailored to fit the organization.

This approach integrates high volumes of disparate data from formerly siloed groups—for instance, teams focused on cyber operations, incident response, cyber intelligence, information protection services, security and investigations, legal, communications, and compliance issues. With use cases and data governance guided from the top, these teams are more empowered to make the real-time decisions needed to carry out critical missions and counter emerging threats. Operating with a clear vision also reduces the alert churn for security teams.

In addition, this approach makes it more cost-effective to store massive quantities of cybersecurity data for longer periods, which lets organizations gain the benefits of security analytics at scale in real time. And this, in turn, can enable advanced cybersecurity that uses predictive analytics and turns threat intelligence into actionable insights.

What Are the Next Steps?

The Cybersecurity and Infrastructure Security Agency (CISA) should take the lead in operationalizing data from agencies and federal sensors to supply intelligence for proactive cyber defense operations. Fortunately, CISA is increasingly focused on conducting persistent hunts for threat activity, ingesting and analyzing security data at all levels of the network, and conducting rapid analysis to spot and counter threats.

In addition, all FCEB agencies and critical infrastructure entities should embrace data-driven cybersecurity. Here are five recommendations for putting this approach into action:

Commit to being vendor neutral: Every vendor is trying to lock you into their system. The best way to break out of that is to make all data go through an open architecture. To that end, CISA should look to develop and implement a common data model—for instance, for all endpoint detection and response (EDR) data.

Assess internal needs: Organizations should conduct an analysis and make the data available to whoever needs to consume it. Data access should be controlled centrally. Along the way, agencies lacking knowledge in cyber data analytics and cyber-focused AI and ML should leverage expertise from elsewhere in government or in the private sector.

Plan phased improvements: Organizations can begin with basic capabilities and then upgrade to advanced and leading capabilities over time. Leading organizations can work toward implementing the architecture for a cloud-native, cyber-focused data pipeline for streaming analytics (threat hunt, detection, and compliance).

Act locally, think strategically: The more headway organizations make in overcoming their own silos, the better they will be able to contribute to the cybersecurity of the broader ecosystem. As National Cybersecurity Director Chris Inglis has noted, the collaborative development of insights across silos and stovepipes is increasingly important for the benefit of all.

Prepare now for the next threat: Organizations need to start moving ahead of threats—and the best way to do that is to proactively ready data to be analyzed and queried. Data must be normalized and made accessible. With each new threat, different datasets have become more valuable. In the case of Log4J vulnerabilities, for example, organizations could have been querying their application and firewall logs for potential attacks while they waited for vendors to self-identify and issue patches, or for vulnerability scanners to update their definitions. Being proactive is even more important when organizations must protect cloud-based systems and federated networks.

In short, data-driven cybersecurity is a national imperative. Data is the linchpin for full-spectrum U.S. cyber capabilities designed to defend the nation and counter threats. Embracing a data-driven approach can drive advancements in cyber threat hunting, cyber threat information sharing, supply chain security, zero trust, and beyond. It’s never been more important for government agencies and critical infrastructure entities to embark on this path.