Security is finally embracing data
Late is better than never, but there's still work to do
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
About 1.5 years ago, during my stint at dbt Labs, I wrote a newsletter about how data will change security.
At the time, I thought cybersecurity was going to embrace the modern data stack and break down data silos to gain more context. It would provide valuable security analysis to help identify issues. However, I was only partially right on this prediction.
What I got right
I discussed the need to break down the data silos created by the flood of security tools in the market at the time and even more so now because they lack context from other tools to provide meaningful information. As a result, security practitioners’ frustration would lead to these silos being broken down.
Related to this, SIEMs have been the only option, and they don’t solve the right problems. We’re seeing more security teams wonder what their security operations strategy is now that there’s primarily outdated infrastructure. Cisco’s acquisition of Splunk sent the message that it was that a new beginning might be brewing for security’s use of data. I do see more uses of other data storage solutions, especially data warehouses, such as Databricks and Snowflake that security looks to be embracing more as data teams at companies are modernizing their data stacks. Companies are also wondering if they should invest in a traditional SIEM.
What I got wrong
Although I vaguely discuss some of the use cases for the “new” security data world, I limited it to security-focused applications, such as security operations and vulnerability management. That is, I conjectured that the changes would primarily result in a modernized SIEM, but I am surprised to learn that with the new access to data, products are finding new use cases that deliver value to security, or at least creating the platform to discover new cases.
Most companies haven’t made the pivot to verticalized tools on top of a data platform. Likely, it hasn’t started, but current security products are getting a lot of value by being a dedicated point solution and turning into data sources.
What’s happening now?
I was motivated to write this article after seeing the rise of BI-focused security products. More specifically, Avalor was put into the spotlight with the rumors of an acquisition by Zscaler. (I’m not too sure what Zscaler’s strategy is here, but that’s for another post).
I am also seeing the emergence of tools like Dassana and Monad. All these tools create security data lakes, ingest data from various security tools, and place them into central storage, such as Snowflake, Databricks, Postgres, etc. This is powerful as it allows for the analysis of alerts and data from all existing security tools. It seems that this trend is starting to pick up as Splunk is expensive, difficult to set up, and has limited data-like functionality.
There are plenty of applications for these types of tools, and one obvious one is to replace SIEMs. There are other products trying to do this, such as Panther, which is building a layer on top of data warehouses to act as SIEM. However, I understand why this isn’t the first application that these tools want to tackle. Companies might have multi-year contracts for SIEMs. They likely hired security operations teams that specialize in using certain types of SIEMs. Also, it would be a huge lift to replace a current SIEM or have a company acquire one, so that would lead to long sales cycles, which isn’t a great GTM motion for a startup. The list goes on. So, not focusing on this application is a good move.
What applications are they advertising?
The product messaging of all these companies is similar.
Avalor advertises itself as the “data fabric for security.” It claims to act as the source of truth for assets, controls, etc. to allow for better remediations.
Dassana allows for continuous security control effectiveness. It also focuses on better prioritization and remediations.
Monad has a more data-focused approach by calling itself a “point-and-click simple ELT for security.” It feels like it is leaving the specific applications and use cases up to the end user.
However, these products are dancing around an important application. Avalor partially mentions it when it talks about “security teams making faster and more accurate decisions.” Dassana also discusses it as a way to find ROI on your security tools.
These products need to sell security program efficacy
Honestly, Dassana is the closest to this message. It discusses security program efficacy in terms of security control efficacy. However, Avalor misses this point. It broadly messages about security insights and analytics without framing them in a way that highlights the business benefits data analytics has had for other types of businesses, such as finance and operations. In some ways, Monad has the right overall message about producing the proper “ELT for security,” but it lacks specificity on how this could benefit security.
Why am I making such a big deal out of this? I think there’s a large opportunity here. Security is late to the game on data. The data stack exists to provide relevant insights to the business. For years, data analytics have been a powerful tool (assuming it’s done right) in various aspects of business, providing executives with the power to track important metrics. When they see a problem, they and/or their team can dig deeper, and this is what makes data analytics teams so valuable. Also, on the other side, executives can agree on metrics to ensure the impact of their teams is properly measured and ensure specific objectives are met. That’s why the modern data stack has been in the spotlight because having a strong data stack serves almost as a competitive advantage.
Unfortunately, security has historically not been that data-driven. It’s primarily survived off fear, uncertainty, and doubt. It’s not fully security’s fault. It’s also executives who lack an understanding of how security impacts their business. They give security blank checks to achieve, in my mind, impossible goals, e.g. preventing security incidents (rather than containing them when they occur or reducing the blast radius of one through risk management). Although a security leader should communicate this, executives have traditionally viewed security as an operational role that they just needed to have like accounting or legal, which isn’t the right attitude.
On the other hand, security leaders have taken advantage of these blank checks to do whatever they want without having to communicate the impact or any of the corresponding metrics. If anything, they communicate operational metrics, such as time to respond, the number of incidents, or the number of vulnerabilities resolved. The problem is that these metrics usually lack business context.
With all that said, these products should market something strong such as “providing business intelligence to allow data into every security decision,” or “providing data-driven insight into security operations.” The idea is that having access to this data gives security the ability to provide useful metrics that can drive business decisions, e.g. investment areas, gaps that result in risk, etc., not just operational decisions, e.g. prioritization of vulnerabilities. This will elevate the game for security from being an operational organization to a business-driving organization, which security has been trying to do for a while now.
However, data doesn’t solve the problem of a security leader communicating the business impact of security. Honestly, no tools or products can solve leadership or organizational problems. At best, they can identify these issues, but they aren’t the solution. The data tool can help elevate, but without a strong leader to define the objectives and properly use the data to drive decision-making, this tool won’t be useful, but that’s true of the data tool for other organizations.
Having a strong security strategy is a prerequisite, and the data tool only augments that and maintains accountability. How do you develop a security strategy? Well, that’s the hard part. Richard Seiersen has a good LinkedIn post about this. He discusses a strategy to align with executives and the board, landing on three key metrics to determine risk. Of course, this is one of many strategies.
Takeaway
Security is finally starting to embrace data, and these new products are promising. However, they need to have stronger messaging on how data can benefit security as a business not just an operation like how data analytics have benefitted other organizations. As a result, security can also provide meaningful insights that drive strategy in other organizations, such as engineering where there is an increasing amount of risk.
Hi Frank. Totally agree with your perspective on security being late to the game towards being a data driven business to deliver outcomes. But i am not sure that delivering security program efficacy is going to be the killer app for security data. Do you think someone would allocate budget to pay for that? I think building a data driven product that delivers outcomes daily or multiple times a week creates an important fly wheel and subsequently intrinsic value. As a practitioner what are some apps you would like to see built on top of data and even better if its something you would use very often.