The role of trusted data in security intelligence

The term ‘trust’ is defined as the reliability or integrity of something or someone. It is the cornerstone of business–trust in suppliers and business partners, trust in employees and trust in the effective governance of a business. Trust is also the cornerstone of customer relationships. If trust is eroded, a business can suffer badly in terms of its brand, reputation and ability to remain competitive.

Trust is also essential in operational matters. Organisations generate huge reams of data pertaining to the business. If data is inaccurate, unreliable or untrustworthy, unacceptable levels of risk can be introduced. Organisations must strive to ensure that data is accurate, reliable and complete to ensure its integrity. Only if data is deemed to be accurate, and therefore trustworthy, can organisations ensure that the information inferred from it is reliable enough to drive effective decision making.

Many organisations today are investing in analytics capabilities to gain a better understanding of the security information that is generated by systems throughout the network in order to derive actionable insight or intelligence. But, if you analyse data that is questionable, then the insight gained from it cannot be relied on.

I was discussing this recently with Piers Wilson of Tier-3, a vendor in the SIEM space. Piers made the point that an organisation’s data originates from systems that are used by users, administered by administrators and exposed to attack. Users and administrators can have varying degrees of competence and reliability. The insider threat is well known and mistakes and misconfigurations are commonplace. And all manner of attackers are targeting systems, looking to expose sensitive information or perhaps corrupt systems for a range of motives. Any of these factors can damage the accuracy, integrity and reliability of data collected–and hence the ability to trust it.

As Piers pointed out, if there is any doubt that data is unreliable or untrustworthy, layering security controls onto data that has been collected from systems throughout the network into a SIEM system may ensure that it has not been changed, altered or damaged since collection–but can you guarantee that what you started with is 100% trustworthy?

This shows the importance of securing the entire information supply chain–from the users who created it or received it from an external source, through how it flows through the network and is used, to its ultimate collection and storage. Has it been adequately protected at every point along this chain?

This points to the need, which is greater than ever, for tightly integrating network and endpoint security controls in order to engender trust in the systems that deliver information. Users must be controlled through granular access controls that take into account context, so that higher levels of security are applied to situations deemed less trustworthy, such as access attempts made over unsecured connections. Everyone must be made accountable and reliable records must be generated to ensure that no data has been accessed in appropriately, especially by privileged users.
Continuous monitoring of endpoint and network activity is required to root out abnormalities, including malware and other exploits, misconfigurations, missed patches and a host of other concerns. Organisations must ensure that all systems are maintained at an appropriate quality level and that the data they produce and contain can be trusted.

Organisations must strive to establish a solid trust model for all data flows across all systems connected to and within the network. They must ensure that that trust model adheres to their data and information governance, and risk management and compliance objectives. Policies must be adequately enforced and reliable audit trails generated.

The ability to use security analytics and intelligence to derive actionable insight is a capability that many organisations are striving for. But it can only be achieved by taking a joined up approach to security, making sure that the data feeds are not in any way tainted so that the outcome is trustworthy.