Solving Cybersecurity’s Data Conundrum via DIR Approaches

data stitching

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Brian Foster of ReliaQuest sews together a response to the data conundrum using DIR approaches and data stitching.

An influx of security tools and alerts, and ineffective and/or suboptimal detection, investigation, and response (DIR) processes have painted Security Operations (SecOps) in a chaotic light. Then, throw data and resources that are all over the place into the mix, and you’re potentially looking at a big mess– one that goes beyond the confines of an organization’s network and assets. This includes the external attack surface and deep, dark webs, which are a primary source for digital threats.

As cyber-attacks become more advanced, more frequent, and more expensive, enterprises need to pursue a comprehensive cybersecurity strategy. Yet, the complex arrangements of security toolsets and business applications, as well as the changing threat landscape, all make tackling security a daunting task. Today’s security teams face challenges of scale when it comes to SecOps– both from a people and technology standpoint. These challenges potentially give threat actors an advantage, as they can continually plan and execute attacks without detection.

Security teams need the intelligence to discover and disrupt these active attacks– and prevent future ones.

Data Stitching and the DIR Approach to Data Security


Today’s DIR Processes Are Not Designed for Distributed Data

At its heart, the challenge with threat detection is a data problem. And more often than not, an organization’s data is stored in multiple locations– further complicating the problem. Simple fact: it is not reasonable to expect that 100 percent of an organization’s security-relevant data will be centrally located.

A typical security operations center (SOC) today is overwhelmed with security tools that do not integrate or communicate well with each other. SOCs have to manually collect data from multiple tools for an effective alert triage. Aggregating and then accessing all of an organization’s data is expensive– and more time is spent curating data than analyzing it, leading to a lack of efficiency. To remedy this, organizations need coverage across their security information and event management (SIEM), endpoint detection and response (EDR), cloud, business, and third-party applications. They need a way to unify data and tools seamlessly to gain the context and insights needed to operationalize security and protect and grow their business. The path forward is trusted curated integration.

This starts with real-time integration across security technologies that can gather and normalize data on-demand, without analyst intervention or creating expensive security data lakes. It should serve as a single source of truth for driving visibility, automation, and measurement, all in the name of speeding up response time across the security lifecycle. Managed, vendor-agnostic integrations across security tools take the burden of tool management away from analysts so they can focus on the analysis that matters. This requires enterprises to think about implementing detection, investigation, and response approaches on distributed data. To enable DIR across distributed data, enterprises need a security operations platform that utilizes techniques– like data stitching.

Data Stitching for Extended Detection and Response

Data stitching is the process of automatically collecting and parsing relevant information from all tools based on an alert from any single tool. For example, an alert fires in one tool, and data stitching searches across the rest of the security infrastructure, looking for any artifacts or data relevant to the original alert. The process reduces the cost of data management as it only aggregates and stores that relevant data. It also aids in comprehensive investigations and enriches lower-quality alerts with data from multiple sources to create a higher fidelity alert across endpoint, network, cloud, and business applications.

A Security Operations Platform Makes This All Possible

SecOps Platforms for data stitching utilize a single unified query language that abstracts the user from various query languages. The platform normalizes data coming back from the technologies, and requires two-way integrations directly with technologies and applications that are ingested back into the platform. They also collect data from the native technologies on a just-in-time/as-needed basis for extended DIR.

Security is an ongoing process, not a guarantee– and should adapt with the changing threat landscape. No security operations team is the same; they have different priorities, tech stacks, sizes, and skill sets that affect their day-to-day business operations.

The Common Denominator is That They All Have Data

Gaining proper insight and visibility into that data via detection, investigation, and response approaches can be the game changer when it comes to thwarting cyber-attacks– and data stitching can help solve today’s cybersecurity data conundrum, while building confidence in an organization’s security program.

Brian Foster
Follow Brian
Latest posts by Brian Foster (see all)