In Chapter 1, Classifying Threats, we looked at the need for common naming and rating systems so that data could be communicated between organizations. Here, we will address the need for standardization within the organization.
In this section, we will look at how to standardize the data into a universal format, and how to normalize the storage of data. We will then look at how these processes can help to give a better insight into what is happening on the network or system.
These subject areas are specifically referenced as topics 4.1 and 4.2 in the 210-255 syllabus:
4.1 Describe the process of data normalization
4.2 Interpret common data values into a universal format
Organizations increasingly employ a range of defensive systems, typically from a range of suppliers. There are a number of reasons for this, ranging from the distrust of a supplier (consider the controversies over Huawei providing 5G infrastructure in some nations), or different specialisms among security firms, to simply providing redundancy. Although many vendors provide a single dashboard for their own systems, fewer systems draw in data from multiple vendors.
Most questions posed to cybersecurity operators will require information from a number of different sources. To service this answer, the operator must trawl through every log separately. The problem arises when multiple services have logged the same event; a IDS may log a potentially malicious file, which is then quarantined and logged by the antivirus system. Would this count once or twice when posed the question of how many security incidents have there been this month?
Worse still, let's say that the IDS classified the malicious file as a medium risk but the antivirus system classified it as high risk (both on arbitrary, vendor-specific scales). Would the risk of the event be high or medium in the report back to management? Should the IDS be made more stringent, or should the antivirus be made more lenient?
If instead, all the separate logs were instead combined into one database, this would yield much more representative results.
This has led to security information and event management (SIEM) tools to emerge; Splunk and SolarWinds are among the most well-known packages with SIEM features. These software packages can directly collect data themselves, instead of drawing in data from other providers. This allows a modular system, with different (and sometimes overlapping) defensive systems feeding a single administrator view.