We have a silo problem
Anyone that grew up playing Super Mario Bros will remember the agony of fighting your way through Goombas and Koopa Troopas only to find that the princess is in another castle. And there are lots of castles. Security teams are facing a similar challenge as they hunt for attackers and try to squash security holes before they result in a breach. Like Mario’s princess, the clues are in another data silo.
A data silo is a place where one type of information exists separately from other datasets. In cybersecurity, silos can be classified along the “Five Ws”:
Who was involved: User information is often stored within classic directories such as LDAP and Active Directory, or newer systems such as Gsuite and Okta.
What happened: Events of interest are generated on the systems where they take place, for example firewalls allowing network connections or endpoints quarantining malware. This is the main dataset collected into SIEM solutions such as Splunk, ArcSight and Elastic, which become silos for events.
Where did it take place: While event logs will contain a reference to the location, such as a hostname, the majority of location details are found in the asset inventory. For example, cloud-based servers in AWS will be fully described within the EC2 service, including their launch time, tags, and associated security groups. Note that none of this information is included in the server’s event log.
When did it take place: Historical information describing all of the previous occurrences of a particular incident is often stored separately in low-cost long term storage such as AWS S3. This data may be compressed for storage and needs to be retrieved and loaded prior to analysis.
Why did it happen: Organizations that meet basic information security standards such as SOC2 are required to institute change management processes. While these processes require documenting why significant changes took place, this dataset is typically unstructured and stored in a ticketing system such as Jira or a code repository system such as Github.
With critical information being segmented across separate data silos, there ends up being only one place within the typical organization where the datasets can be combined and synthesized into insights. That place is the two pound chunk of water and fat lodged between the ears of the security analyst.
With the manual effort of connecting between data silos falling on individual members of the security team, companies must try to hire their way out of the problem or accept that their threat and vulnerability detection will be weak and will get weaker. The move to the cloud, with its frequent changes and virtual perimeter, makes it harder than ever to manually connect the dots. It’s due time for cybersecurity to admit that it has a silo problem.
