Break the hive mentality: going vendor agnostic with DataBee
It’s easy to get caught up in the hive mentality, and it happens more than you think when purchasing cybersecurity products and services.
Recently, the Federal Trade Commission has been launching investigations into anticompetitive practices related to the cybersecurity industry. Anti-competitive practices can result in cybersecurity tools that don’t interoperate or are cost-prohibitive to do so-- keeping you “locked-in” to that particular vendor. It’s time to break out of the hive mentality to build the security that enterprises deserve.
What is vendor lock-in?
Vendor lock-in is when a customer becomes dependent or over-reliant on a specific vendor’s product or services, making it difficult to break up or diversify from that vendor. This can happen when vendors create proprietary tools, systems, and products that deviate from open-source resources or industry standards. This makes the product incompatible with others and expertise in that product less transferable. Usually, the longer one is “locked-in,” the more challenging and expensive it becomes to transition away from that vendor.
Security teams should invest in tools that are compatible with a variety of product ecosystems across a variety of vendors and that can derive meaning and insights from across vendors.
How can DataBee help you avoid vendor lock-in?
DataBee’s cloud-native security and compliance data fabric offers users a vendor-agnostic solution that can extract data from various sources and transform it into the desired format to support continuous compliance, SIEM de-coupling, simple & advanced threat hunting, and behavioral baselines with anomaly detection.
We offer customers the freedom to leverage:
Data lakes and data sources of choice: DataBee offers an extensive list of supported data sources (250+ and counting) and data lakes, and the list is constantly expanding. Bring in data from disparate sources, and DataBee will serve as the glue to piece it all together. The data flows through DataBee, without needing it to be stored, entering our product as a raw event and exiting as a normalized and enriched full time-series dataset into your data storage solution of choice. There is no holding data hostage.
Visibility and compatibility across cloud, hybrid, and on-prem solutions: DataBee centralizes insights for all your data sources regardless of where they sit in your security architecture, enabling customers to extract more value from what they already have.
Data normalization via the Open Cybersecurity Schema Framework (OCSF): OCSF is an implementation-agnostic, open-source framework used for data normalization and standardization. Data normalization helps ensure that your information all speaks the same language, is stored only once, and is updated consistently throughout your database. This makes it easier for DataBee to correlate data, reduce redundancies, and derive insights with reliable results.
Sigma Formatted Rules for Streaming Detections: DataBee’s active detection streams apply Sigma formatted rules over OCSF-normalized security data while en route to their storage destination. This enables DataBee active detections to integrate into a given existing security ecosystem with minimal customizations. Sigma rules provide a standardized syntax for defining detection logic, enabling security professionals to comprehensively define parameters for identifying potential security incidents. With Sigma-formatted detections leveraging OCSF in DataBee, organizations can swap out security vendors without needing to update log parsers or security detection content.
What are the benefits of a vendor-agnostic approach?
Interoperability, scalability, and flexibility: DataBee brings together disparate and diverse systems under one roof. This enables you to future-proof your organization: Freely expand and evolve by adding or removing systems without impacting your compatibility with DataBee. Scale to up to 10,000 streaming detections applied to petabytes of data a day in near real-time without requiring an overhaul of your infrastructure.
Value-based purchasing: Being vendor agnostic allows you to choose the products that are the best for your needs and the best in the industry, allowing you to adopt tools that are “best-of-breed.” It also gives your employees exposure to industry-standard skills, tools, and techniques that will be transferable across a variety of products.
Cost-effectiveness: Over-reliance on a single product suite or vendor can be expensive. It can make pricing and contracts less competitive. It can also make deriving insights across systems more challenging if your systems do not play well with each other, requiring more time and resources to come to the same conclusion. Being vendor-agnostic enables you to maximize the value of the products you pay for while managing costs across all your systems.
Heightened visibility and control: Centralized monitoring across a variety of solutions allows you to make more intentional choices about the vendors you select and how you integrate them into your cybersecurity infrastructure. Some vendors may see what others do not, increasing the likelihood of a faster response.
Stronger security: Vendor agnosticism reduces overreliance on a single vendor to provide and maintain your suite of products. Vendor lock-in can consolidate your resources, leading to a highly consolidated attack surface or even a single point of failure. In the event of a security breach or outage, having many vendors can reduce your total attack surface and negative impacts on business operations.
Ready to break the hive mentality and empower your organization with a flexible, resilient security strategy? Request a custom demo to learn how DataBee can fast-track your transition to vendor-agnostic.
Read More
Why a data fabric can make your data-driven security and compliance analytics easier
Data, data everywhere, and not a drop of insight. The enterprise collects terabytes of data from hundreds of different, disconnected security tools. Yet, while organizations have vast amounts of data, they struggle to be data-driven.
Internal stakeholders have their own tools to help them make tactical decisions. The compliance and audit team may use a governance, risk, and compliance (GRC) platform or Microsoft Excel. The security analysts may have a security information and event management (SIEM) tool, or two (maybe one cloud-delivered and one on-premises). The IT team might be using a ticketing system to manage issues like applying security updates to vulnerable devices.
Disconnected metrics create challenges as the enterprise attempts moving from a tactical to a strategic cybersecurity program. Siloed data limits usability as collecting the required metrics and statistics is time-consuming and, often, inaccurate. Consider the following examples and how connecting these metrics would provide holistic insights:
Inability to identify and connect responsible parties to non-compliance reports identifying gaps that were addressed, prioritized, or partially resolved
No clear call to action for security analysts reviewing metrics that threat blocking and vulnerability patching
No business context connecting to technical data about networks, systems, and devices
This will help turn tactical data into strategic actions. Security data fabrics can be leveraged by enterprises for a modern data architecture that streamlines their analytics processes while providing everyone access to - and strategic insight from - the data they need.
If you’d like to learn how DataBee® from Comcast Technology Solutions can help you collect and utilize outcome-driven and actional contextual insights, we partnered with analyst firm IDC to help customers leverage a data fabric to enhance existing capabilities. Download the free report now: “IDC Spotlight: Principles of Being a Data-driven Cybersecurity Leader”.
Read More
Monitoring and logging: the eyes and ears of security
Why do monitoring and logging matter?
Although this is a foundational question in cybersecurity and networking, National Cybersecurity Awareness Month makes this a great time to (re)visit important topics.
Monitoring and logging are very similar to security cameras and home alarm systems. They help you keep an eye on what’s happening in your applications and systems. If – when – something unusual occurs, analysts can leverage information from monitoring and logging solutions to respond and manage potential issues.
In this blog, I explore some tips from my experience as a DevOps and Systems Engineer.
10 tips for effective monitoring and logging:
Set up alerts for unusual activity
Use monitoring tools to set up alerts for machine or human behaviors that don’t seem right. This could be, for example, a user who has experienced multiple failed logins attempts or a server with a sudden spike in traffic. This way, you can prioritize and quickly investigate suspicious activities.
If it’s important, log it
Adversaries are becoming clever in hiding their tracks. This makes logging key events, such as user logins, changes to business-critical data, and system errors, important. The information gleaned from logs can help shed light on a bad actor’s trail.
Regularly review log
Don’t just collect logs—make it a habit to review them regularly. Collaborate with your team and experts to capture and understand details from logs. Look for patterns or anomalies that could indicate a security issue.
Leverage SIEMs
Security Information and Event Management (SIEM) tools are great to collect and analyze log data from different sources, helping you detect security incidents more efficiently.
Retain logs for digital forensics
Your industry regulations may already require this, but storing your logs will not only keep you compliant but can also help you perform security investigations. SIEMs can be expensive depending on the throughput of your organization. Security data fabrics, such as DataBee, can help you decouple storage and federate security data to a centralized location like a data lake, making it easier to search through raw logs or optimized datasets to help you catch important information.
Establish a response plan
Ideally before a security event occurs, your team should have a plan in place to respond to an incident. This should include who to contact and the steps to contain any potential threats.
Educate your team
Make sure everyone on your team understands the importance of monitoring and logging. Training can help them recognize potential security threats and respond appropriately.
Keep your tools updated
Regularly update your monitoring and logging tools to ensure you’re protected against the latest threats. Outdated tools might miss important security events.
Test your monitoring setup
Running tabletops can help you test your monitoring systems and response plans to ensure they’re working correctly. Simulate incidents to see if your alerts trigger as expected.
Stay informed
Keep up to date with the latest security trends and threats. This knowledge can help you improve your monitoring and logging practices continuously.
By following these tips, you can enhance your organization's security posture and respond more effectively to potential threats. Monitoring and logging might seem like technical tasks, but they play a vital role in keeping your systems safe!
Read More
How Continuous Controls Monitoring (CCM) can make cybersecurity best practices even better
Like many cybersecurity vendors, we like to keep an eye out for the publication of the Verizon Data Breach Investigations Report (DBIR) each year. It’s been a reliable way to track the actors, tactics and targets that have forced the need for a cybersecurity industry and to see how these threats vary from year to year. This information can be helpful as organizations develop or update their security strategy and approaches.
All of the key attack patterns reported on in the DBIR have been mapped to the Critical Security Controls (CSC) put out by the Center for Internet Security (CIS), a community-driven non-profit that provides best practices and benchmarks designed to strengthen the security posture of organizations. According to the CIS, these Controls “are a prescriptive, prioritized and simplified set of best practices that you can use to strengthen your cybersecurity posture.”
Many organizations rely on the Controls and Safeguards described in the CIS CSC document to guide how they build and measure their security program. Understanding this, we thought it might be useful to map the Incident Classification Patterns described in the 2024 DBIR report, to the guidance provided in the CIS Critical Security Controls, Version 8.1, and then to the CSC Controls and Safeguards that DataBee for Continuous Controls Monitoring (CCM) reports on. As you’ll see, CCM – whether from DataBee or another vendor (😢) – is a highly useful way to measure progress toward effective controls implementation.
The problem, proposed solutions, and how to measure their effectiveness
The 2024 DBIR identifies a set of eight patterns for classifying security incidents, with categories such as System Intrusion, Social Engineering, and Basic Web Application Attacks leading the charge. Included in the write-up of each incident classification is a list of the Safeguards from the CIS Critical Security Controls that describe “specific actions that enterprises should take to implement the control.” These controls are recommended for blocking, mitigating, or identifying that specific incident type. CIS Controls and Safeguards recommended to combat System Intrusion, for example, include: 4.1, Establish and Maintain a Secure Configuration Process1; 7.1, Establish and Maintain a Vulnerability Management Process2; and 14, Security Awareness and Skills Training3. Similar lists of Controls and Safeguards are provided in the DBIR for other incident classification patterns.
Continuous Controls Monitoring (CCM) is an invaluable tool to measure implementation for cybersecurity controls, including many of the CIS Safeguards. These might include measuring the level of deployment for a solution within a population of assets, e.g., is endpoint detection and response implemented on all end user workstations and laptops? Or has a task been completed within the expected timeframe, such as the remediation of a vulnerability, closure of a security policy exception, or completion of secure code development training? While reporting on these tasks individually may seem easy enough, CCM takes it to the next level by reporting on a large set of controls through a single interface, rather than requiring users to access a series of different interfaces for every distinct control. Additionally, CCM supports the automation of data collection and then refreshing report content so that the data being reported is kept current with significantly less effort.
Doing (and measuring) “the basics”
The CIS CSCs are divided into three “implementation groups.” The CIS explains implementation groups this way: “Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Critical Security Controls.” The CIS defines Implementation Group 1 (IG1) as “essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises.” In the CIS CSCs v8.1, there are 56 Safeguards in implementation group 1, slightly more than a third of the total Safeguards. Interestingly, most of the Safeguards listed by Verizon in the DBIR are from implementation group 1, the Safeguards for essential cyber hygiene, that is, “the basics.”
Considering “the basics,” a few years ago, the 2021 Data Breach Investigations Report made this point:
“The next time we are up against a paradigm-shifting breach that challenges the norm of what is most likely to happen, don’t listen to the ornithologists on the blue bird website chirping loudly that “We cannot patch manage or access control our way out of this threat,” because in fact “doing the basics” will help against the vast majority of the problem space that is most likely to affect your organization.” (page 11)
Continuous controls monitoring is ideally suited to help organizations measure their progress when implementing essential security controls. That is, those controls that will help against “the vast majority of the problem space.” These essential controls are the necessary foundation on which more specialized and sophisticated controls can be built.
Moving beyond the basics
Of course, CCM is not limited to reporting on the basics. As Verizon notes, the CIS Safeguards listed in the 2024 DBIR report are only a small subset of those which could help to protect the organization, or to detect, respond to, or recover from an incident. Any control which lends itself to measurement, especially when expressed as a percentage of implementation, is a viable candidate for CCM. Additionally, the measurement can be compared against a target level of compliance, a Key Performance Indicator (KPI), to assess if the target is being met, exceeded, or if additional work is needed to reach it.
The Critical Security Controls from CIS provide a pragmatic and comprehensive set of controls for organizations to improve their essential cybersecurity capabilities. CCM provides a highly useful solution to measure the progress towards effective implementation of the controls, both at the organization level, and the levels of management that make up the organization.
Mapping incident classification patterns to CIS controls & safeguards to DataBee for Continuous Controls Monitoring dashboards
DataBee’s CCM solution provides consistent and accurate dashboards that measure how effectively controls have been implemented, and it does this automatically and continuously. Turns out, it produces reports on many of the Controls and Safeguards detailed in the CIS CSC. Here are some examples:
The DBIR recommends Control 04, "Secure Configuration of Enterprise Assets and Software," as applicable for several Incident Classification Patterns, namely System Intrusion, and Privilege Misuse. The Secure Configuration dashboard for DataBee for Continuous Controls Monitoring reports on this CSC Control and many of its underlying Safeguards.
Control 10, “Malware Defenses,” is also listed as a response to System Intrusion in the DBIR. The Endpoint Protection dashboard supports this control. It shows the systems protected by your endpoint detection and response (EDR) solutions and compares them to assets expected to have EDR installed. DataBee reports on the assets missing EDR and which consequently remain unprotected.
“Security Awareness and Skills Training,” Control 14, is noted in the DBIR as a response to patterns System Intrusion, Social Engineering, and Miscellaneous Errors. The DataBee Security Training dashboard can provide status on training from all the sources used by your organization.
In addition to supporting the controls and safeguards listed in the DBIR, the DataBee dashboards also report on CSC controls such as Control 01, “Inventory and Control of Enterprise Assets.” While the DBIR does not list Control 01 explicitly, the information reported by the Asset Management dashboard in DataBee is needed to support Secure Configuration, Endpoint Protection, and other dashboards. That is, the dashboards that do support the CIS controls listed in the DBIR.
With the incident patterns in the 2024 Verizon Data Breach Investigations Report mapped to the Critical Security Controls and Safeguards provided by the Center for Internet Security, security teams are given a great start – or reminder – of the best practices and tools that can help them avoid falling ‘victim’ to these incidents. Continuous controls monitoring bolsters an organization’s security posture even more by delivering dashboards that report on the performance of an organization’s controls; reports that provide actionable insights into any security or compliance gaps.
If you’d like to learn more about how DataBee for Continuous Controls Monitoring supports the Controls and Safeguard recommendations provided in the CIS CSC, be in touch. We’d love to help you get the most out of your security investments.
Read More
Status Update: DataBee is a now an AWS Security Competency Partner
We are proud to announce that DataBee is recognized as one of only 35 companies to achieve the AWS Security Competency in Threat Detection and Response. We have worked diligently to help customers gain faster, better insights from their security data, making today meaningful to us as a team. This exclusive recognition underscores the value and impact that DataBee’s advanced capabilities bring to customers.
Achieving an AWS Security Competency requires us to have deep technical AWS expertise. Inspired by Comcast's internal CISO and CTO organization, the DataBee platform connects disparate security data sources and feeds, enabling customers to optimize their AWS resources. Our AWS Competency recognition validates our ability to leverage our internal, technical AWS knowledge so that customers can achieve the same proven-at-scale benefits.
More importantly, earning this badge is a testament to the success we have achieved in partnering with our customers, and validates that DataBee has enabled customers to transform vast amounts of security data into actionable insights for threat detection and response.
Our continued collaboration with AWS reflects our dedication to driving innovation and delivering high-quality security solutions that meet the evolving needs of our customers. We are proud to be recognized for our efforts and remain committed to helping our customers achieve their security goals efficiently and effectively.
Read More
Mastering DORA compliance and enhancing resilience with DataBee
Recently, DataBee hosted a webinar focused on the Digital Operational Resilience Act (DORA), a pivotal piece of EU legislation that is set to reshape the cybersecurity landscape for financial institutions. The talk featured experts Tom Schneider, Cybersecurity GRC Professional Services Consultant at DataBee and Annick O'Brien, General Counsel at CybSafe, who delved into the intricacies of DORA, its implications, and actionable strategies for compliance.
5 Key Takeaways for mastering DORA compliance and enhancing resilience:
In an effort to open dialogue and help organisations that need to comply with the DORA compliance legislations, we are sharing the takeaways from our webinar.
The Essence of DORA: DORA is not just another cybersecurity regulation; it addresses the broader scope of operational risk in the financial sector. Unlike frameworks that focus solely on specific cybersecurity threats or data protection, DORA aims to ensure that organisations can maintain operational resilience, even in the face of significant disruptions. This resilience means not just preventing breaches but also being able to recover swiftly when they occur.
Broad Applicability: DORA's reach extends beyond traditional banks, capturing a wide array of entities within the financial ecosystem, including insurance companies, reinsurance firms, and even crowdfunding platforms. The act emphasizes that any organisation handling financial data needs to be vigilant, especially as DORA becomes fully enforceable in January 2025.
Third-Party Risks: A significant portion of the webinar focused on the risks associated with third-party service providers, particularly cloud service providers. DORA places the onus on financial institutions to ensure that their third-party vendors are compliant with the same rigorous standards. This includes having robust technical and operational measures, conducting regular due diligence, and ensuring these providers can maintain operational resilience.
Concentration of Risk: DORA introduces the concept of concentration risk, which refers to the potential danger when an entire industry relies heavily on a single service provider. The webinar highlighted recent incidents, such as the CrowdStrike and Windows issues, underscoring the importance of not only identifying these risks but also diversifying to mitigate them.
Principles-Based Approach: Unlike prescriptive regulations, DORA is principles-based, focusing on the outcomes rather than the specific methods organisations must use. This approach requires financial institutions to continuously assess and update their operational practices to ensure resilience in a rapidly evolving technological landscape.
Moving Forward:
As the January 2025 deadline approaches, organisations are urged to review their existing compliance frameworks and identify how they can integrate DORA's requirements without reinventing the wheel. Many of the principles within DORA overlap with other frameworks like GDPR and NIST, providing a foundation that organisations can build upon.
For those grappling with the complexities of DORA, the webinar emphasized the importance of preparation, regular testing, and continuous improvement. By leveraging existing policies and procedures, financial institutions can align with DORA's objectives and ensure they are not only compliant but also resilient in the face of future challenges.
Databee can significantly enhance compliance with DORA by streamlining the management of information and communication technology (ICT) assets. DataBee for Continuous Controls Monitoring (CCM) offering weaves together data across multiple sources, enabling organisations to automate the creation of a reliable asset inventory. By providing enriched datasets and clear entity resolution, Databee reduces complexity of managing and monitoring ICT assets, improves auditability, and ensures that compliance and security measures are consistently met across the enterprise, ultimately supporting the resilience and security of critical business operations.
Watch the recording of the webinar here or request a demo today to discover how DataBee can help you become DORA compliant.
Read More
Bee sharp: putting GenAI to work for asset insights with Beekeeper AI™
Artificial intelligence (AI) and music are a lot alike. When you have the right components together, like patterns in melodies and rhythms, music can be personal and inspire creativity. In my experience having worked on projects that developed AI for IT and security teams, data can help recognize patterns from day-to-day activities and frustrations that can be enhanced or automated.
I started working in AI technology development nearly a decade ago. I loved the overlaps between music and programming. Both begin with basic rules and theory, but it is the human element that brings AI (and music) to life.
Recently, we launched BeeKeeper AI™ from DataBee, a generative AI (genAI) tool that uses patent-pending entity resolution technology to find and validate asset and device ownership. Inspired by our own internal cybersecurity and operations teams struggles of chasing down ownership, which sometimes added up to 20+ asset owner reassignments, we knew there was a better way forward. Through integrations with enterprise chat clients like Teams, BeeKeeper AI uses your data to speak to your end users, replacing the otherwise arduously manual process of confirming or redirecting asset ownership.
What’s the buzz about BeeKeeper AI from DataBee?
Much like how a good song metaphorically speaks to the soul, BeeKeeper AI’s innovative genAI approach is tuned to leverage ownership confidence scores that prompt it to proactively reach out to end users. Now, IT admins and operations teams don’t have to spend hours each day reaching out to asset owners who often become frustrated over having their day interrupted. Further, by using BeeKeeper AI for ‘filling in the blanks’ of unclaimed or newly discovered assets, you have an improved dataset of who to reach out to when security vulnerabilities and compliance gaps appear.
BeeKeeper AI, a part of DataBee for Security Hygiene and Security Threats, uses an entity resolution technology to identify potential owners for unclaimed assets and devices based on a few factors such as comparing authentication logs.
BeeKeeper AI is developed with a large language model (LLM) that features strict guardrails to keep conversations on track and hallucinations at bay when engaging these potential owners. This means that potential asset owners can simply respond “yes” or suggest someone else and move on with their day.
Once users respond, BeeKeeper AI can do the rest – including looking for other potential owners, updating the DataBee platform, and even updating the CMDB, sharing its learnings with other tools.
Automatic updates to improve efficiency and collaboration
Most IT admins and operations teams heave a sigh every time they have to manually update their asset inventories. If you’ve been using spreadsheets to maintain a running, cross-referenced list of unclaimed devices and potential owners, then you’re singing the song of nearly every IT department globally.
This is where BeeKeeper AI harmonizes with the rest of your objectives. When BeeKeeper AI automatically updates the DataBee platform, everyone across the different teams have a shared source of data, including:
IT
Operations
Information security
Compliance
Unknown or orphaned assets are everyone’s responsibility as they can become a potential entry point for security incidents or create compliance gaps. BeeKeeper AI can even give you insights from its own activity, allowing you to run user engagement reports to quantify issues like:
Uncooperative users
Total users contacted and their responses
Processed assets, like validated and denied assets
Since it automatically updates the DataBee platform, BeeKeeper AI makes collaboration across these different teams easier by ensuring that they all have the same access to cleaner and more complete user and asset information that has business context woven in.
Responsible AI for security data
AI is a hot topic, but not all AI is the same. At DataBee, we believe in responsible AI with proper guardrails around the technology’s use and output.
As security professionals, we understand that security data can contain sensitive information about your people and your infrastructure. BeeKeeper AI starts from your clean, optimized DataBee dataset and works within your contained environment. Unique to each organization’s data, BeeKeeper AI’s guardrails keep sensitive data from leakage.
This is why BeeKeeper AI sticks to what it knows, even when someone tries to take it off task. Our chatbot isn’t easily distracted and refocuses attempts to engage back to its sole purpose - identifying and finding the right asset owners.
Making honey out of your data with BeeKeeper AI
BeeKeeper AI leverages your security data to proactively reach out to users and verify whether they own assets. With DataBee, you can turn your security data into analytics-ready datasets to get insights faster. Let BeeKeeper AI manage your hive so you can focus on making honey out of your data.
If you’re ready to reduce manual, time-consuming, collaboration-inhibiting processes, request a custom demo to see how DataBee for Security Hygiene can help you sing a sweeter tune.
Read More
DataBee: Who do you think you are?
2024 has been a big “events” year for DataBee as we’ve strived to raise awareness of the new business and the DataBee Hive™ security, risk and compliance data fabric platform. We’ve participated in events across North America and EMEA including Black Hat USA, the Gartner Security & Risk Management Summits, FS-ISAC Summit, Snowflake Data Cloud Summit and AWS re:Inforce, and of course, the RSA Conference. At RSA, we introduced to the community our sweet (haha) and funny life-size bee mascot, who ended up being a big hit among humans and canines alike.
Participation in these events has been illuminating on many important fronts. For the DataBee “hive” it’s been invaluable, not only for the conversations and insights we gain from real users across the industry, but also for the feedback we receive as we share the story of DataBee’s creation and how it was inspired by the security data fabric that Comcast’s Global CISO, Noopur Davis, and her team developed. In general, we’ve been thrilled with the response that DataBee has received, but consistently, there’s one piece of attendee feedback that really gives us pause:
“Why would Comcast Technology Solutions enter the cybersecurity solutions space?”
In other words, “what the heck is Comcast doing here?”
This statement makes it pretty clear: Comcast might be synonymous with broadband, video, media and entertainment services and experiences, but may be less associated with cybersecurity.
But it should be. While Comcast and Xfinity may not be immediately associated with cybersecurity, Comcast Business, a $10 billion business within Comcast, has been delivering advanced cybersecurity solutions to businesses of all sizes since 2018. With our friends at Comcast Business, the DataBee team is working hard to change perceptions and increase awareness of Comcast’s rich history of innovation in cybersecurity.
Let’s take a quick look at some of the reasons why the Comcast name should be synonymous with cybersecurity
Comcast Business
Comcast Business is committed to helping organizations adopt a cybersecurity posture that meets the diverse and complex needs of today’s cybersecurity environment. Comcast Business’ comprehensive solutions portfolio is specifically engineered to tackle the multifaceted challenges of the modern digital landscape. With advanced capabilities ranging from real-time threat detection and response, Comcast Business solutions help protect businesses. Whether through Unified Threat Management systems that simplify security operations, cloud-based solutions that provide flexible defenses, or DDoS mitigation services that help preserve operational continuity, Comcast Business is a trusted partner in cybersecurity. Comcast Business provides the depth, effectiveness, and expertise necessary to enhance enterprise security posture through:
SecurityEdge™
Offering advanced security for small businesses, SecurityEdge™ is a cloud-based Internet security solution that helps protect all connected devices on your network from malware, phishing scams, ransomware, and botnet attacks.
SD-WAN with Advanced Security
Connect users to applications securely both onsite and in the cloud
Unified Threat Management (UTM)
Delivered by industry leading partners, UTM solutions provide an integrated security platform that combines firewall, antivirus, intrusion prevention, and web filtering to simplify management and enhance visibility across the network.
DDoS Mitigation
Security for disruption caused by Distributed Denial of Service attacks by helping to identify and block anomalous spikes in traffic while allowing for desired functionality of your services.
Secure Access Service Edge (SASE)
Integrating networking and security into a unified cloud-delivered service model, our SASE framework supports dynamic secure access needs of organizations, facilitating secure and efficient connectivity for remote and mobile workers.
Endpoint Detection and Response (EDR)
Help safeguard devices connected to your enterprise network, using AI to detect, investigate, remove, and remediate malware, phishing, and ransomware
Managed Detection and Response (MDR)
Extend EDR capabilities to the entire network and detect advanced threats, backed up with 24/7 monitoring by a team of cybersecurity experts.
Vulnerability Scanning and Management
Helps identify and manage security weaknesses in the network and software systems, a proactive approach that helps protect potential entry points for threat actors.
Comcast Ventures
Did you know that Comcast has a venture capital group that backs early-to-growth stage startups that are transforming sectors like cybersecurity, AI, healthcare, and more?
Some of the innovative cybersecurity, data and AI-specific companies that Comcast Ventures has invested in include:
BigID
SafeBase
HYPR
Resemble AI
Bitsight
Uptycs
Recently, cybersecurity investment and advisory firm NightDragon announced a strategic partnership with Comcast Technology Solutions (CTS) and DataBee that also included Comcast Ventures. As a result of this strategic partnership, CTS, Comcast Ventures and DataBee will gain valuable exposure to the new innovations coming from NightDragon companies.
Comcast Cybersecurity
As I write this, Comcast Corporation is ranked 33 on the Fortune 500 list, so – as you might guess – it has an expansive internal cybersecurity organization. With $121 billion+ in annual revenues, over 180,000 employees around the globe, and a huge ecosystem of consumers and business customers and partners, Comcast takes its security obligations very seriously.
Our cyber professionals collectively hold and are awarded multiple patents each year. We lead standards bodies, and we participate and provide leadership in multiple policy forums. Our colleagues contribute to Open-Source communities where we share our security innovations. We are an integral part of the global community of cybersecurity practitioners – we present at conferences, learn from our peers, hold multiple certifications, and publish in various journals. We are a contributing member of the Communications ISAC, and the CISA Joint Cyber Defense Collaborative. A sampling of internal research and development efforts within Comcast’s cybersecurity organization include:
One-time secure secrets sharing
Security data fabric (Note: the inspiration for DataBee®)
Anomaly detection
AI-based secrets detection in code
AI-based static code analysis for privacy
Crypto-agility risk assessment
Machine-assisted security threat modeling
Scoping of threats against AI/ML apps
Persona-based privacy threat modeling
PKI and token management systems
Certificate lifecycle management and contribution to industry IoT stock
R&D for BluVector Network Detection and Response (NDR) product
The Comcast Cyber Security (CCS) Research team, “conducts original applied and fundamental cybersecurity research”. Selected projects that the team is working on include research on security and human behavior, security by design, and emerging technologies such as post quantum cryptography. CCS works with technology teams across Comcast to identify and explore security gaps in the broader cyber ecosystem.
The Comcast Cybersecurity team’s work developing and implementing a security data fabric platform was the inspiration for what has become DataBee. Although the DataBee team has architected and built its commercial DataBee Hive™ security, risk and compliance data fabric platform from “scratch” (so to speak), it was Comcast’s internal platform – and the great results that it has, and continues, to deliver – that proved such a solution could be a game-changer, especially for large, complex organizations. While DataBee Hive has been designed to address the needs and scale of any type of enterprise or IT architecture, we were fortunate to be able to tap into the learnings that came from the years and countless person hours of development that went into building Comcast’s internal security data fabric platform, and then operating it at scale.
DataBee Cybersecurity Suite
Besides being home to the DataBee Hive security data fabric platform and products, it’s worth noting that the DataBee business unit of Comcast Technology Solutions is also home to BluVector, an on-premises network detection and response (NDR) platform. Comcast acquired BluVector in 2019, which was purpose-built to protect critical government and enterprise networks. BluVector continues to deliver AI-powered NDR for visibility across network, devices, users, files, and data to discover and hunt skilled and motivated threats.
Comcast and cybersecurity? Of course.
So, the next time you come across DataBee, from Comcast Technology Solutions, and you think to yourself “why is Comcast in the enterprise security market with DataBee?!” – think again.
From small and mid-size organizations to large enterprises and government agencies; and from managed services to products and solutions; and from on-premises to cloud-native… Comcast’s complete cybersecurity “portfolio” covers the gamut.
Want to connect with someone to determine what’s right for your organization? Contact us, and in “Comments”, let us know if you’d like to evaluate solutions from both DataBee and Comcast Business. We’ll look forward to exploring options with you!
Read More
Compliance Takes a Village: Celebrating National Compliance Officer Day
If the proverb is, it takes a village to raise a child, then the corollary in the business world is that it takes a village to get compliance right. And in this analogy, compliance officers are the mayor of this village. Compliance officers schedule audits, coordinate activities, oversee processes, and manage documentation. They are the often-unsung heroes whose work acts as the foundation of your customers’ trust, helping you achieve certifications and mitigate risk.
While your red teamers and defenders get visibility because they sit at the frontlines, your compliance team members are strategizing and carving paths to reduce risk and enable programs. For this National Compliance Officer Day, we salute these mayors of the compliance village in their own words.
Feeling Gratitude
There is a great amount of pride when compliance officers are able to help you build trust with your customers, but there is also an immense amount of gratitude from the compliance teams for the internal relationships built within the enterprise
Yasmine Abdillahi, Executive Director of Security Risk and Compliance and Business Information Security Officer at Comcast, expressed gratitude for executive leader Sudhanshu Kairab whose ability to grasp the core business fundamentals have allowed Comcast to implement robust compliance frameworks that mitigate risks and support growth and trust.
“[Sudhanshu] consistently demonstrates a keen awareness of industry trends, enabling us to stay ahead of emerging challenges and opportunities. His ability to sustain and nurture a strong network, both internally and externally, has proven invaluable in fostering collaboration and ensuring we remain at the forefront of GRC best practices. His multifaceted approach to leadership has not only strengthened our risk posture but has also positioned our GRC function as a key driver of innovation and business growth.”
Compliance professionals rely on their strategic internal business partners to succeed. When enterprise leaders empower the GRC function, compliance and risk managers can blossom into their best business enabling selves.
In return, compliance leaders allow the enterprise to provide customers with the assurance they need. In today’s “trust but verify” world, customers trust the business when the compliance function can verify the enterprise security posture.
Collaboration, Communication, and Education
At its core, your compliance team acts as the communications glue that binds together the various cybersecurity functions.
For Tom Schneider, who is a part of the DataBee team as a Cybersecurity GRC Professional Services Consultant, communication has been essential to his career. When working to achieve compliance with a control, communicating clearly and specifically is critical, especially when cybersecurity is not someone’s main responsibility. Clear communication educates both sides of the compliance equation.
“Throughout my career, I have learned from the many people I’ve worked with. They have included management, internal and external customers, and auditors. I’ve learned from coworkers that were experts in some specific technology or process, such as vulnerability management or identity management, as well as from people on the business side and how things appear from their perspective.”
GRC’s cross-functional nature makes compliance leaders some of the enterprise’s most impactful teachers and learners. Compliance officers collaborate across different functions - security, IT, and senior leadership. As they learn from their internal partners, they, in turn, educate others.
Compliance officers are so much more than the controls they document and the checklists they review. They facilitate collaboration because they can communicate needs and build a shared language.
Compliance Officers: Keeping It All Together
A compliance officer’s role in your organization goes far beyond their job descriptions. They are cross-functional facilitators, mentors, learners, leaders, enablers, and reviewers. They are the ones who double check the organization’s cybersecurity work. Every day, they work quietly in the background, but for one day every year, we have the opportunity to let them know how important they are to the business.
DataBee from Comcast Technology Solutions gives your compliance officer a way to keep their compliance and business data together so they can communicate more effectively and efficiently. Our security data fabric empowers all three lines of defense - operational managers, risk management, and internal audit - so they can leave behind spreadsheets and point-in-time compliance reporting relics of the past. By leveraging the full power of your organization’s data, compliance officers can implement continuous controls monitoring (CCM) with accurate compliance dashboard and reports for measuring risk and reviewing controls’ effectiveness.
From our Comcast compliance team to yours, thank you for all you do. We see you and appreciate you - today and every day.
Read More
Best practices for PCI DSS compliance...and how DataBee for CCM helps
For planning compliance with the Payment Card Industry Data Security Standard (PCI DSS), the PCI Security Standards Council (SSC) supplies a document that provides excellent foundational advice for both overall cybersecurity, and PCI DSS compliance. Organizations may already be aware of it, but regardless, it is a useful resource. And, it is interesting to read with Continuous Controls Monitoring (CCM) in mind.
The document lists 10 Recommendations for best practices which are useful, not just for PCI DSS compliance, but for overall security and compliance with organizational policies as well as frameworks and regulations to which the entity is subject. The best practices place a strong emphasis on ongoing, continuous compliance. That is, for organizations “to protect themselves and their customers from potential losses or damages resulting from a data breach, they must strive for ways to maintain a continuous state of compliance throughout the year rather than simply seeking point-in-time validation.”
While the immediate goal may be to attain a compliant Report on Compliance (ROC), that immediate goal, and the longer-term viability of the security program, are aided by establishing a program around continuous compliance and the ability to measure it.
Here are the SSC’s 10 Best Practices for Maintaining PCI DSS Compliance:
Develop and Maintain a Sustainable Security Program
Develop Program, Policy, and Procedures
Develop Performance Metrics to Measure Success
Assign Ownership for Coordinating Security Activities
Emphasize Security and Risk Management to Attain and Maintain Compliance
Continuously Monitor Security Controls
Detect and Respond to Security Control Failures
Maintain Security Awareness
Monitoring Compliance of Third-Party Service Providers
Evolve the Compliance Program to Address Changes
Some detail around the 10
The first recommendation, “Develop and Maintain a Sustainable Security Program” is short, but notes that, “Any cardholder data not deemed critical to business functions should be removed from the environment in accordance with the organization’s data-retention policies… In addition, organizations should evaluate business and operating procedures for alternatives to retaining cardholder data.” Outsourcing the processing of cardholder data to entities that specialize in this work is an option that many organizations take. When that is not a viable option, minimizing the amount of data collected, and securely deleting it as specified in the organization’s data retention policy is the next best option.
“Develop Program, Policy, and Procedures” is the second recommendation. Along with developing and maintaining these documents, accountability must be assigned “to ensure the organization's sustainable compliance.” Additionally, PCI DSS v4.0 has a requirement under each of the twelve principal requirements stating that “Roles and responsibilities for performing activities” for each principal requirement “are documented, assigned, and understood.” If this role does not already exist, something for organizations to consider would be designating a “compliance champion” for each business unit. The compliance champions could work with their management to assume accountability for the control compliance for assets and staff assigned to the business unit.
“Develop Performance Metrics to Measure Success” follows. This recommendation includes “Implementation metrics” (which measure the degree to which a control has been implemented, and are usually described as percentages), and “Efficiency and Effectiveness Measures” (which evaluate attributes such as completeness, consistency, and timeliness). These metrics show if a control has been implemented over the expected range of the organization’s assets, if it has been implemented consistently, and is being executed when expected. These metrics play a key role in assessing compliance in a continuous way.
Measurement of implementation metrics and effectiveness metrics for completeness and consistency are core components of DataBee for CCM. For example, in the case of Asset Management, users can see if assets in scope for PCI DSS are flagged as being in scope correctly, if the asset owner is accurate, and if other data points such as physical location are present. The ability to see continuously refreshed data on a CCM dashboard, as opposed to having to create a point in time report, or have the knowledge to access this data through a product specific portal, makes it practical for teams to see accurate metrics in an efficient way.
The fourth recommendation is to “Assign Ownership for Coordinating Security Activities.” An “individual responsible for compliance (a Compliance Manager)” is the main point of this recommendation. However, the recommendation notes that Compliance Manager should be “given adequate funding and resources… and granted the proper authority to effectively organize and allocate such resources.” The effective organization of resources could include delegating tasks throughout the organization to managers over units within the larger organization. This recommendation ends by noting that the organization must ensure that “the goals and objectives of its compliance program are consistently achieved despite changes in program ownership (i.e., employee turnover, change of management, organization merger, re-organization, etc.). Best practices include proper knowledge transfer, documentation of existing controls and the associated responsible individual(s) or team(s).”
Using the DataBee for CCM dashboards to assign accountability for assets and staff to the appropriate business units helps with this recommendation.
It clarifies the delegation of responsibility for assets and staff to the business unit’s management.
Furthermore, it would help drive the effective achievement of objectives of the compliance program during transitions in the Compliance Manager role.
Delegation of control compliance to the business unit’s management would enable them to continue with their tasks while a new Compliance Manager is hired and during the time needed for the Compliance Manager to adjust to their role.
“Emphasize Security and Risk Management to Attain and Maintain Compliance,” the fifth recommendation asserts that “PCI DSS provides a minimum set of security requirements for protecting payment card account data…,” and that “Compliance with industry standards or regulations does not inherently equate to better security.”
This point cannot be emphasized highly enough: “A more effective approach is to focus on building a culture of security and protecting an organization’s information assets and IT infrastructure and allow compliance to be achieved as a consequence.” The ongoing measurement of control implementation by CCM supports a culture of security. Organizations can use the information provided by DataBee for CCM to not only enable continuous reporting, but through it to support continuous remediation of control failures.
The next recommendation, “Continuously Monitor Security Controls,” describes how “the use of automation in both security management and security-control monitoring can provide a tremendous benefit to organizations in terms of simplifying monitoring processes, enhancing continuous monitoring capabilities, and minimizing costs while improving the reliability of security controls and security-related information.”
Ongoing monitoring of data that is frequently refreshed can be a core component for ongoing compliance. Ultimately, implementing a continuous controls monitoring program will help reduce extra workload as the PCI DSS assessment date approaches. DataBee for CCM is a tool that supports the necessary continuous monitoring.
The seventh recommendation, “Detect and Respond to Security Control Failures,” applies to two situations:
controls which have failed, but with no detectable consequences, and
control failures that escalate to security incidents.
PCI SSC notes that, “The longer it takes to detect and respond to a failure, the higher the risk and potential cost of remediation.” Continuous monitoring can help the organization to reduce the time it takes to detect a failed control.
Recommendation eight, “Maintain Security Awareness” speaks to the need to train the workforce, especially regarding how to respond to social engineering. Security training, both for the staff in general and role-based training for specific teams, is one of the requirements that DataBee for CCM reports on through its dashboards.
Recommendation nine is “Monitoring Compliance of Third-Party Service Providers,” and ten is “Evolve the Compliance Program to Address Changes.” A robust compliance program that is in place throughout the year can be more capable of evolving and adapting to change than an assessment focused program that allows controls to drift out of compliance between assessments. Continuous monitoring is key for combating compliance drift once an assessment has been completed.
After the ten recommendations, the main body of the document concludes with a section about the “Commitment to Maintaining Compliance.” Two of the key actions for maintaining continuous compliance are, “Assigning responsibility for ensuring the achievement of their security goals and holding those with responsibility accountable,” and “Developing tools, techniques, and metrics for tracking the performance and sustainability of security activities.” DataBee for CCM enables both these tasks.
The main theme of the “Best Practices for Maintaining PCI DSS Compliance” is that continuous compliance with PCI DSS that is maintained throughout the year is the goal. Ultimately, this helps improve the overall security posture of the organization. Making the required compliance activities business as usual tasks that are continuous throughout the year can also help with the specific goal of achieving a compliant result for a PCI DSS assessment when it comes due.
How DataBee for CCM fits in
We envisioned and realized DataBee for CCM as a fantastic fit for an evolving compliance program. Using the DataBee dashboards, with their continuously updated information that can be accessible to everyone who needs to see it, help free up time for GRC and other teams to focus on the evolution of the cybersecurity program. Given the rapid change in the cyber-threat landscape, and the frequent changes in security controls and regulatory requirements, turning report creation over to CCM to give time back to your people for higher value work is a win for your organization.
DataBee for CCM helps by providing consistent data to all teams, GRC, executive management, business management, IT, etc., so that everyone is working from the same information. This helps to delegate control compliance, and clearly identify accountable and responsible parties. Furthermore, DataBee for CCM shows executives, GRC, business managers and others content for multiple controls, from many different tools, through a single interface (as opposed to GRC needing to create multiple reports, or business managers and others having to create their own, possibly erroneous, reports). Additional dashboards can be created to report on other controls that are in scope for PCI DSS, such as secure configuration, business continuity, and monitoring the compliance of third-party service providers. Any control for which data is available to create useful dashboard content is a candidate for a DataBee for CCM dashboard.
Read More
Enter the golden age of threat detection with automated detection chaining
During my time as a SOC analyst, triaging and correlating alerts often felt like solving a puzzle without the box or knowing if you had all the pieces.
My days consisted of investigating alerts in an always-growing incident queue. Investigations could start with a single high or critical alert and then hunt through other log sources to piece together what happened. I had to ask myself (and my team) if this alert and that alert had any identifiable relationships or patterns with the ones they investigated that day, even though the alerts looked unrelated by themselves. Most investigations inevitably relied on institutional knowledge to find the pieces of your puzzle, searching by IP for one data source and the computer name in another. Finding the connections between the low and slow attacks in near real-time was a matter of chance and often discovered via threat-hunting efforts, slipping through the cracks of security operations. This isn’t an uncommon story and it's not new either – it’s the same problems faced during the Target 2013 breach and the National Public Data Network 2024 breach.
That’s why we launched automated detection chaining as part of the DataBee for Security Threats solution. Using a patent-pending approach to entity resolution, the security data fabric platform can chain together alerts from disjointed tools that could be potentially tied to an advanced persistent threat, insider threat, or compromised asset. What I like to call a “super alert” is presented in DataBee EntityViews™, which aggregates alerts into a time-series, or chronological, view. Now it’s easier to find attacks that span security tools and the MITRE ATT&CK framework. With our out-of-the-box detection chain, you can automatically create a super alert before the adversary reaches the command-and-control phase.
Break free from vendor-specific detections with Sigma Rules
Once a security tool is fully deployed in the network and environment, it becomes near impossible to change out vendors without significant operational impact. The impact is more than just replacing the existing solution, it's also updating all upstream and downstream integration points, such as custom detection content or log parsers. This leads to potential gaps in coverage due to limitations in the tooling deployed and the tools desired. Standard logging is done to a vendor-agnostic schema, and then an open-source detection framework is applied.
The DataBee Platform automated migrating to the Open Cybersecurity Schema Framework (OCSF), which has become increasingly popular with security professionals and is gaining adoption in some tools. Its vendor-agnostic approach standardizes disparate security logs and data feeds, giving SOC teams the ability to use their security data more effectively. Active detection streams in DataBee apply Sigma formatted rules over security data that is mapped to a DataBee-extended version of OCSF to integrate into the existing security ecosystem with minimal customizations. DataBee handles the translation from the Sigma taxonomy to OCSF to help lower the level of effort needed to adopt and support organizations on their journey to vendor-agnostic security operations. Sigma-formatted detections are imported and managed via GitHub to enable treating detections as code. By breaking free of proprietary formats, teams can more easily use vendor-agnostic Sigma rules to gain security insights from across all their tools, including data stored in security data lakes and warehouses.
The accidental insider threat
Accidental insider threats often begin with a phishing attack containing a malicious link or download that tricks the user. The malware is too new or has morphed to evade your end point detection. Then it spreads to whatever other devices it can authenticate to. Detecting the scope of the lateral movement of the malware is challenging because there is so much noise to search through. With DataBee EntityViews, SOC teams can easily review the historical information connected to the organization’s real-world people and devices, giving them a way to trace the progression of events.
Looking at a user’s profile shows relevant business contexts that can aid the investigation:
Job Title to hint at what is normal behavior
Manager to know who to go to for questions or if action needs to be taken
Owned assets that may be worth investigating further
The Event Timeline shows the various types of OCSF findings associated with the user.
By scrolling through the list of findings, a SOC analyst can quickly identify several potential issues, including malware present within the workstation. Most notable, the MITRE ATT&CK detection chain has triggered. In this instance, we had multiple data sources that alerted on different parts of the ATT&CK chain producing a super alert. The originating events are maintained as evidence and easily accessible to the analyst:
EntityViews allow for bringing the events from devices that the current user owns to help simplify the process of pulling together the whole story. In our example the device is the user’s laptop so it's likely that all of the activity is carried out by the user:
The first thing of note is the unusual number of authentication attempts to devices that seem atypical for a developer such as a finance server. As we continue to scroll through the user’s timeline, reviewing events from a variety of data sources, we finally come across our smoking gun. In this instance, we are able to see the phishing email that user clicked the link on that is our initial point of compromise:
It’s clear the device has malware on it, and the authentication attempts imply that the malware was looking to spread further in the network. To visualize this activity, we can leverage the Related Entities graphical view in the Activity section of EntityViews. SOC analysts can use a graphical representation and animation of the activity to visualize the connections between the compromised user and the organization. The graph displays other users and devices that have appearances in security findings, authentication, and ownership events. In our example, we can see that the user has attempted to authenticate to some atypical devices such as an HR system:
Filtering enables more targeted investigations, like focusing on only the successful authentication attempts:
Visualizations such as this in DataBee enable more accurate, timely and complete investigations. From this view, the SOC analysts can select any entity to see their EntityView with the activity associated with the related users and devices. Rather than pivoting between multiple applications or waiting for data to be reprocessed, they have real-time access to information in an easy to consume format.
Customizing detection chains to achieve organizational objectives
Detection Chains are designed to enable advanced threat modeling in a simple solution. Detection Chains can be created in the DataBee platform leveraging all kinds of events that flow through the security data fabric. DataBee ships with 2 detection chains to get you started:
MITRE ATT&CK Chain: Detect advanced low and slow attacks that span the MITRE ATT&CK chain before reaching Command & Control.
Potential Insider Threat: Detect insider threats who are printing out documents, emailing personal accounts, and messing with files in the file share.
These chains serve as a starting point. The intent is that organizations add and remove chains based on their specific needs. For example, you may want to extend the potential insider threat rule to include more potential email domains or limit file share behavior to accessing files that contain trade secrets or sales information.
Automated detection chains are nearly infinity flexible. By chaining together detections from the different data sources that align to different parts of the attack chain specific to a user or device, DataBee enables building advanced security analytics for hunting the elusive APTs and getting ahead of pesky ransomware attacks.
Building a better way forward with DataBee
Every organization is different, and every SOC team has unique needs. DataBee’s automated detection chaining feature gives SOC analysts a faster way to investigate complex security incidents, enabling them to rapidly and intuitively move through vast quantities of historical data.
If you’re ready to gain the full value of your security data with an enterprise-ready security, risk, and compliance data fabric, request a custom demo to see how DataBe for Security Threats can turn static detections into dynamic insights.
Read More
You've reduced data, so what's next
Organizations often adopt data tiering to reduce the amount of data that they send to their analytics tools, like Security Information and Event Management (SIEM) solutions. By diverting data to an object store or a data lake, organizations are able to manage and lower costs by minimizing the amount of data that their SIEM stores. Although they achieve this tactical objective, the process creates data silos. While people can query the data in isolation, they often fail to glean collective insights across the silos.
Think of the problem like a large building with cameras across its perimeters. The organization can monitor each camera’s viewpoint, but no individual camera has the full picture, as any spy movie will tell you. Similarly, you might have different tools that see different parts of your security picture. Although SIEMs originally intended to tie together all security data into a composite, cloud applications and other modern IT and cybersecurity technology tool stacks generate too much data to make this cost-effective.
As organizations balance saving money with having an incomplete picture, a high-quality data fabric architecture can enable them to build more sustainable security data strategies.
From default to normalized
When you implement a data lake, the diverted data remains in its default format. When you try to paint a composite picture across these tools, you rely on what an individual data set understands or sees, leaving you to pick out individual answers from these siloed datasets.
Instead of asking a question once, you need to ask fragments of the question across different data sets. In some cases, you may have a difficult time ensuring that you have the complete answer.
With a security data fabric, you can normalize the data before landing it in one or more repositories. DataBee® from Comcast Technology Solutions uses extract, transform, and load processes to automatically parse security data, then normalizes it according to our extended Open Cybersecurity Schema Framework (OCSF) so that you can correlate and understand what’s happening in the aggregate picture.
By normalizing the data on its way to your data lake, you optimize compute and storage costs, eliminating some of the constraints arising from other data federation approaches.
Considering your constraints
Federation reduces storage costs, but it introduces limitations that can present challenges for security teams.
Latency
When you move data from one location to another, you introduce various time lags. Some providers will define the times per day or number of times that you can transfer data. For example, if you want data in a specific format, some repositories may only manage this transfer once per day.
Meanwhile, if you want to stream the data into a different format for collection, the reformatting can also create a time lag. A transformation and storage process may take several minutes, which can impact key cybersecurity metrics like mean time to detect (MTTD) or mean time to respond (MTTR).
When you query security datasets to learn what happened over the last hour, a (near) real-time data source will contribute to an accurate picture, while a delayed source may not have yet received data for the same period. As you attempt to correlate the data to create a timeline, you might need to use multiple data sources that all have different lag times. For example, some may be mostly real-time while another sends data five minutes later. If you ask the question at the time an event occurred, the system may not have information about it for another five minutes, creating a visibility gap.
Such gaps can create blind spots as you scale your security analytics strategy. The enterprise security team may be asking hundreds of questions across the data system, and the time delay can create a large gap between what you can see and what happened.
Correlation
Correlating activities from across your disparate IT and security tools is critical. Data gives you facts about an event while correlation enables you to interpret what those facts mean. When you ask fragments of a question across data silos, you have no way to automate the generation of these insights.
For example, a security alert will give you a list of events including hundreds of failed login attempts over three minutes. While you have these facts, you still need to interpret whether they describe malicious actors using stolen credentials or a brute force attack.
To improve detections and enable faster response times, you need to weave together information like:
The IP address(es) involved over the time the event occurred
The user associated with the device(s)
The user’s geographic location
The network access permissions for the user and device(s)
You may be storing this data in different repositories without correlation capabilities. For example, you may have converged all DNS, DHCP, firewall, EDR, and Proxy data in one repository while combining user access and application data in another. To get a complete picture of the event, you need to make at least, although likely more than, two single-silo queries.
While you may have reduced data storage costs, you have also increased the duration and complexity of investigating incidents, which gives malicious actors more time in your systems, making it more difficult to locate them and contain the threat.
Weaving together federated data with DataBee
Weaving together data tells you what and when something happened, enabling insights into activity rather than just a list of records. With a fabric of data, you can interpret it to better understand your environment or gain insights about an incident. With DataBee, you can focus on protecting your business while achieving tactical and strategic objectives.
At the tactical level, DataBee fits into your cost management strategies because it focuses on collecting and processing your data in a streamlined affordable way. It ingests security and IT logs and feeds, including non-traditional telemetry like organizational hierarchy data, from APIs, on-premises log forwarders, AWS S3s, or Azure Blobs then automatically parses and maps the data to the OCSF. You can use one or more repositories, aligning with cost management goals. Simultaneously, data users can access accurate, clean data through the platform to build reliable analytics without worrying about data gaps.
The platform enriches your dataset with business policy context and applies patent-pending entity resolution technology so you can gain insights based on a unified, time-series dataset. This transformation and enrichment process breaks down silos so you can efficiently and effectively correlate data to gain real-time insights, empowering operational managers, security analysts, risk management teams, and audit functions.
Read More
The value of OCSF from the point of view of a data scientist
Data can come in all shapes and sizes. As the “data guy” here at DataBee® (and the “SIEM guy” in a past life), I’ve worked plenty with logs and data feeds in different formats, structures, and sizes delivered using different methods and protocols. From my experience, when data is inconsistent and lacks interoperability, I’m spending most of my time trying to understand the schema from each product vendor and less time on showing value or providing insights that could help other teams.
That’s why I’ve become involved in the Open Cybersecurity Schema Framework (OCSF) community. OCSF is an emerging but highly collaborative schema that aims to standardize security and security-related data to improve consistency, analysis, and collaboration. In this blog, I will explain why I believe OCSF is the best choice for your data lake.
The problem of inconsistency
When consuming enterprise IT and cybersecurity data from disparate sources, most of the concepts are the same (like an IP address or a hostname or a username) but each vendor may use a different schema (like the property names) as well as sometimes different ways to represent that data.
Example: How different vendors represent a username field
Vendor
Raw Schema Representation
Vendor A (Firewall)
user.name
Vendor B (SIEM)
username
Vendor C (Endpoint)
usr_name
Vendor D (Cloud)
identity.user
Even if the same property name is used, sometimes the range of values or classifications might vary.
Example: How different vendors represent “Severity” with different value ranges
Vendor
Raw Schema Representation
Possible Values
Vendor A (Firewall)
severity
low, medium, high
Vendor B (SIEM)
severity
1 (critical), 2 (high), 3 (medium), 4 (low)
Vendor C (Endpoint)
severity
info, warning, critical
Vendor D (Cloud)
severity
0 (emergency) through 7 (debug)
In a non-standardized environment, these variations require custom mappings and transformations before consistent analysis can take place. That’s why data standards can be helpful to govern how data is ingested, stored, and used, maintaining consistency and quality so that it can be used across different systems, applications, and teams.
How can a standard help?
In the context of data modeling, a "standard" is a widely accepted set of rules or structures designed to ensure consistency across systems. The primary purpose of a standard is to achieve normalization—ensuring that data from disparate sources can be consistently analyzed within a unified platform like a security data lake or a security information event management (SIEM) solution. From a cyber security standpoint, this becomes evident in at least a few common scenarios:
Analytics: A standardized schema enables the creation of consistent rules, models, and dashboards, independent of the data source or vendor. For example, a rule to detect failed login attempts can be applied uniformly, regardless of whether the data originates from a firewall, endpoint security tool, or cloud application.
Threat Hunting - Noise Reduction: With normalized fields, filtering out irrelevant data becomes more efficient. For instance, if every log uses a common field for user identity (like username), filtering across multiple log sources becomes much simpler.
Threat Hunting - Understanding the Data: Having a single schema instead of learning multiple vendor-specific schemas reduces cognitive load for analysts, allowing them to focus on analysis rather than data translation.
For log data, several standards exist. Some popular ones are: Common Event Format (CEF), Log Event Extended Format (LEEF), Splunk's Common Information Model (CIM), and Elastic’s Common Schema (ECS). Each has its strengths and limitations depending on the use case and platform.
Why existing schemas like CEF and LEEF fall short
Common Event Format (CEF) and Log Event Extended Format (LEEF) are widely used schemas, but they are often too simplistic for modern data lake and analytics use cases.
Limited Fields: CEF and LEEF offer a limited set of predefined fields, meaning most log data ends up in custom fields, which defeats the purpose of a standardized schema.
Custom Fields Bloat: In practice, most data fields are defined as custom, leading to inconsistencies and a lack of clarity. This results in different interpretations of the same data types, complicating analytics.
Overloaded Fields: Without sufficient granularity, crucial data gets overloaded into generic fields, making it hard to distinguish between different event types.
Example: Overloading a single field like “message” to store multiple types of information (e.g., event description, error code) creates ambiguity and reduces the effectiveness of automated analysis.
The limits of CIM and ECS: vendor-specific constraints
Splunk CIM and Elastic ECS are sophisticated schemas that better address the needs of modern environments, but they are tightly coupled to their respective ecosystems.
Proprietary Optimizations:
CIM: Although widely used within Splunk, CIM is proprietary and lacks an open-source community for contributions to the schema itself. Its design focuses on Splunk’s use cases, which can be limiting in broader environments.
ECS: While open-source, ECS remains heavily influenced by Elastic’s internal needs. For instance, ECS optimizes data types for Elastic’s indexing and querying, like the distinction between keyword and text fields. Such optimizations can be unnecessary or incompatible with non-Elastic platforms.
Field Ambiguity:
CIM uses fields like src and dest, which lack precision compared to more explicit options like source.ip or destination.port. This can lead to confusion and the need for additional context when performing cross-platform analysis.
Vendor-Centric Design:
CIM: The field definitions and categories are tightly aligned with Splunk’s correlation searches, limiting its relevance outside Splunk environments.
ECS: Data types like geo_point are unique to Elastic’s product features and capabilities, making the schema less suitable when integrating with other tools.
How OCSF addresses these challenges
The OCSF was developed by a consortium of industry leaders, including AWS, Splunk, and IBM, with the goal of creating a truly vendor-neutral and comprehensive schema.
Vendor-Neutral and Tool-Agnostic: OCSF is designed to be applicable across all logs, not just security logs. This flexibility allows it to adapt to a wide variety of data sources while maintaining consistency.
Open-Source with Broad Community Support: OCSF is openly governed and welcomes contributions from across the industry. Unlike ECS and CIM, OCSF’s direction is not controlled by a single vendor, ensuring it remains applicable to diverse environments.
Specificity and Granularity: The schema’s granularity aids in filtering and prevents the overloading of concepts. For example, OCSF uses specific fields like identity.username and network.connection.destination_port, providing clarity while avoiding ambiguous terms like src.
Modularity and Extensibility: OCSF’s modular design allows for easy extensions, making it adaptable without compromising specificity. Organizations can extend the schema to suit their unique use cases while remaining compliant with the core model.
In DataBee’s own implementation, we’ve extended OCSF to include custom fields specific to our environment, without sacrificing compatibility or requiring extensive custom mappings. For example, we added the assessment object, which can be used to describe data around 3rd party security assessments or internal audits. This kind of log data doesn’t come from your typical security products but is necessary for the kind of use cases you can achieve with a data lake.
Now that we have some data points about my own experiences with some of the industry’s most common schemas, it’s natural to share a visualization through a comparison matrix of OCSF and two leading schemas.
OCSF Schema Comparison Matrix
Aspect
OCSF
Splunk CIM
Elastic ECS
Openness
Open-source, community and multi-vendor-driven
Proprietary, Splunk-driven
Open-source, but Elastic-driven
Community Engagement
Broad, inclusive community, vendor-neutral
Limited to Splunk community and apps
Strong Elastic community, centralized control
Flexibility of Contribution
Contributable, modular, actively seeks community input
No direct community contributions
Contributable, but Elastic makes final decisions
Adoption Rate
Early but growing rapidly across multiple vendors
High within Splunk ecosystem
High within Elastic ecosystem
Vendor Ecosystem
Broad support, designed for multi-vendor use
Splunk-centric, limited outside of Splunk
Elastic-centric, some third-party integrations
Granularity and Adaptability
Structured and specific but modular; balances adaptability with detailed extensibility
Moderately structured with more generic fields; offers broad compatibility but less precision
Highly granular and specific with tightly defined fields; limited flexibility outside Elastic environments
Best For
Flexible, vendor-neutral environments needing both detail and adaptability
Broad compatibility in Splunk-centric environments
Consistent, detailed analysis within Elastic environments
The impact of OCSF at DataBee
In working with OCSF, I have been particularly impressed with the combination of how detailed the schema is and how extensible it is. We can leverage its modular nature to apply it to a variety of use cases to fit our customers' needs, while re-using most of the schema and its concepts. OCSF’s ability to standardize and enrich data from multiple sources has streamlined our analytics, making it easier to track threats across different platforms and ultimately helping us deliver more value to our customers. This level of consistency and collaboration is something that no other schema has provided, and it’s why OCSF has been so impactful in my role as a data analyst.
If we have ideas for the schema that might be usable for others, the OCSF community is receptive to contributions. The community is already brimming with top talent in the SIEM and security data field and is there to help guide us in our mapping and schema extension decisions. The community-driven approach means that I’m not working in isolation; I have access to a wealth of knowledge and support, and I can contribute back to a growing standard that is designed to evolve with the industry.
Within DataBee as a product, OCSF enables us to build powerful correlation logic which we use to enrich the data we collect. For example, we know we can track the activities of a device regardless of whether the event came from a firewall or from an endpoint agent, because the hostname will always be device.name.
Whenever our customers have any questions about how our schema works, the self-documenting schema is always available at ocsf.databee.buzz (which includes our own extensions). This helps to enable as many users as possible to gain security and compliance insights.
Conclusion
As organizations continue to rely on increasingly diverse and complex data sources, the need for a standardized schema becomes paramount. While CEF, LEEF, CIM, and ECS have served important roles, their limitations—whether in scope, flexibility, or vendor-neutrality—make them less ideal for a comprehensive data lake strategy.
For me as a Principal Cybersecurity Data Analyst, OCSF has been transformative and represents the next evolution in standardization. With its vendor-agnostic, community-driven approach, OCSF offers the precision needed for detailed analysis while remaining flexible enough to accommodate the diverse and ever-evolving landscape of log data.
Read More
The challenges of a converged security program
It’s commonplace these days to assume we can learn everything about someone from their digital activity – after all, people share so much on social media and over digital chats. However, advanced threats are more careful on digital. To catch advanced threats, therefore, combining insights from their actual activities in the world on a day-to-day basis with their digital communications and activity can provide a better sense if there’s an immediate and significant threat that needs to be addressed.
Let’s play out this insider threat scenario. While this scenario is in the financial services sector, with quick imagination, a security analyst could see applicability to other sectors. An investment banking analyst, Sarah, badges into a satellite office on a Saturday at 7 pm. Next, she logs onto a workstation, and prints 200 pages of materials. These activities alone, could look innocuous. But taken together, could there be something more going on?
As it turns out, Sarah tendered her resignation the prior Friday with 14 days notice. She leaves that Saturday night with two paper bags of confidential company printouts in tow to take to her next employer – a competing investment bank - to give her an edge.
A complete picture of her activity can be gleaned with logs from a few data sources:
HR data showing her status as pending termination, from a system like Workday or SAP
Badge reader logs
Sign in logs
Print logs
Video camera logs, from the entry and exit way of the building
While seemingly simple, piecing all this information together and taking steps to stop the employee’s actions or even recover the stolen materials is non-trivial. Today, companies are asking themselves, what type of technology is required to know that her behavior was immediately suspicious? And what type of security program can establish the objectives and parameters for quickly catching this type of insider threat?
What is a converged security program?
In the above scenario, sign-in logs and print logs alone aren’t necessarily suspicious. The suspicion level materially increases when you consider the combined context of her employment status with the choice of day and time to badge into the office. As such, converged security dataset analysis brings together physical security data points, such as logs from cameras or badge readers in the above example, and digital insights from activity on computers, computer systems or the internet. If these insights are normalized into the same dataset with clear consistency across user and device activity, they can be analyzed by physical security or cybersecurity analysts for faster threat detection. Furthermore, such collaboration can give way to physical and cybersecurity practitioners establishing a converged set of policies and procedures for incident response and recovery.
In his book, Roland Cloutier describes three important attributes of a converged security function:
One Table: everyone sitting together to discuss issues and create a sense of aligned missions, policies, and procedures for issue detection and response.
Interconnected Issue Problem Solving: identifying the problem as a shared mission and connecting resources in a way that resolves problems faster.
Link Analysis: bringing together data points about an issue or problem and correlating them to gain insights from data analytics.
Challenges of bringing together physical and information security
In today’s environment, the challenges of intertwining physical and digital security insights are substantial. Large international enterprises have campuses scattered across the world and a combination of in-office and remote workers. They may face challenges when employee data is fragmented across different physical and digital systems. Remote workers often don’t have physical security log information associated with their daily activity because they work from the confines of their homes, out of reach of corporate physical monitoring.
The modern workforce model further complicates managing physical and digital security as organizations contend with the:
Rise of remote work
Demise of the corporate network
Usage of personal mobile devices at work
Constant travel of business executives
A worker can no longer be tracked by movement in the building and on the corporate network. Instead, the person’s physical location and network connections change throughout the day. Beyond the technical challenges, organizations face hierarchical structure and human element challenges.
Many companies separate physical security from cybersecurity. One reason for this is that a different skillset may be required to stop the threats. Yet, there is value in the two security leaders developing an operating model for collaboration centers on a global data strategy with consistent and complete insights from the physical security and cybersecurity tools.
Consider a model to do so that revolves around 3 principles:
Common data aggregation and analysis across physical and cybersecurity toolsets
Resource alignment for problem solving and response in the physical security org and the cybersecurity group.
A common set of metrics for accountability across the converged security discipline
Diverse, disconnected tools
This is the problem cybersecurity faces, but this time on a wider scale. Each executive purchases tools for monitoring within their purview. They get data.
However, they either fail to gain insights from it or any insights they do achieve are limited to the problem the technology solves.
Access is a good example:
Identity and Access Management (IAM): sets controls that limit and manage how people interact with digital resources.
Employee badges: set control for what facilities and parts of facilities people can physically access.
Returning to the insider threat that Sarah Smith poses: the CISO’s information security organization has visibility into sign in and print logs but would have to collaborate with the CSO’s physical security group for badge logs. This process takes time and, depending on organizational politics, potentially requires convincing.
The siloed technologies could potentially create a security gap when the data remains uncorrelated:
The sign in and print logs alone may not sufficiently draw attention to Sarah’s activities in the CISO’s organization.
Badge in logs in the CSO’s organization may not draw an alert.
HR data, such as employment/termination status, may not be correlated in either the CISO’s or CSO’s available analytical datasets.
Without weaving the various data sources together into one story, Sarah’s behavior has a high risk of going completely undetected – by anyone.
In a converged program, IAM access and badge access would be correlated to improve visibility. In a converged program with high security data maturity, the datasets would provide a more complete picture with insights that correlate HR termination status, typical employee location, and more business context.
Resource constraints
The challenge of resource alignment often begins by analyzing constraints. Both physical and digital security costs money. Many companies view these functions as separate budgets, requiring separate sets of technologies, leadership, and resources.
Converged security contemplates synergies where possible overlaps can potentially reduce costs. For example:
Human Resources data: identifying all workforce members who should have physical and digital access.
IT system access: determining user access where HR is the source underlying Active Directory or IGA birthright provisioning and automatic access termination.
Building access: badges provisioning and terminating physical access according to HR status
The HR system, sign on system, and badge-in system each serve a separate recordation purpose, which can then provide monitoring functionality. However, by keeping insights from daily system usage separate, the data storage and analysis can grow redundant. As Cloutier notes, “siloed operations tend to drive confusion, frustration, and duplicative work streams that waste valuable resources and increase the load on any given functional area.” (24)
Instead, imagine if diverse recordation systems output data to a single location that parsed, correlated, and enriched data to create user profiles and user timelines so cross-functional teams with an interdisciplinary understanding of threat vectors could analyze it. In such an organization, this solution could
Reduce redundant storage.
Eliminate manual effort in correlating data sources from different systems.
Save analysts time by having all the data already in one spot (no need for gathering in the wake of an incident.
Allow for more rapid detection and response.
Metrics and accountability
Keeping physical security separate from cybersecurity can create the risk of disaggregated metrics and a lack of accountability. People must “compare notes” before making decisions, and the data may have discrepancies because everyone uses different technologies intended to measure different outcomes.
These data, tool, and operations silos can create an intricate, interconnected set of overlapping “blurred lines” across:
Personal/Professional technologies
Physical/Digital security functions
In the wake of a threat, the last thing people want to do is increase the time making decisions or argue over accountability, which can quickly spiral into conversations of blame.
Imagine, instead, a world in which the enterprise can make security a trackable metric. Being able to track an end goal – such as security, whether physical or digital – makes it easier to
Hold people accountable.
Make clear decisions.
Take appropriate action.
A trackable metric is only as good as the data that can back it up. Converged security centers around the concept of a global security data strategy that provides an open architecture for analyses that answer different questions while using a commonly accessed, unified data set that diverse security professionals accept as complete, valid, and the closet thing they can get to the “source of truth”.
Weaving together data for converged security with DataBee®
DataBee by Comcast Technology Solutions fuses together physical and digital security data into a data fabric architecture, then enriches it with additional business information, including:
Business policy context
Organizational hierarchy
Employment status
Authentication and endpoint activity logs
Physical bad and entrance logs
By weaving this data together, organizations achieve insights using a transformed dataset mapped to the DataBee-extended Open Cybersecurity Framework Scheme (OCSF). DataBee EntityViewsTM uses a patent-pending entity resolution software that automatically unifies disparate entity pieces across multiple sources of information. This enables many analytical use cases at speed and low cost. One poignant use case includes insider threat monitoring with a comprehensive timeline of user and devices activity, inside a building and when connected to networks.
The DataBee security data fabric architecture solves the Sarah problem, by weaving together in on timeline:
Her HID badge record from that Saturday’s office visit
The past several months of HR records from Workday showing her termination status.
Her Microsoft user sign-in to a workstation in the office
The HP print logs associated with her network ID and a time stamp.
DataBee empowers all security data users within the organization, including compliance, security, operations, and management. By creating a reliable, accurate dataset, people have fast, data-driven insights to answer questions quickly.
Read More
Vulnerabilities and misconfigurations: the CMDB's invasive species
“Knowledge is power.” Whether you attribute this to Sir Francis Bacon or Thomas Jefferson, you’ve probably heard it before. In the context of IT and security, knowing your assets, who owns them, and how they’re connected within your environment are fundamental first steps in understanding your environment and the battle against adversaries. You can’t place security controls around an asset if you don’t know it exists. You can’t effectively remediate vulnerabilities to an asset without insight into who owns it or how it affects your business.
Maintaining an up-to-date configuration management database (CMDB) is critical to these processes. However manually maintaining the CMDB is unrealistic and error-prone for the thousands of assets across the modern enterprise including cloud technologies, complex networks, and devices distributed across in-office and remote workforce users complicate this process. To add excitement to these challenges, the asset landscape is everchanging for entities like cloud assets, containers virtual machines, which can be ephemeral and become lost in the noise generated by the organization's hundreds of security tools. Additionally, most automation fails to link business users to the assets, and many asset tools struggle to prioritize assets correlating to security events, meaning that companies can easily lose visibility and lack the ability to prioritize asset risk.
Most asset management, IT service management (ITSM), and CMDBs focus on collecting data from the organization’s IT infrastructure. They ingest terabytes of data daily, yet this data remains siloed, preventing operations, security, and compliance teams from collaborating effectively.
With a security data fabric, organizations can break down data silos to create trustworthy, more accurate analytics that provide them with contextual and connected security insights.
The ever-expanding CMDB problem
The enterprise IT environment is a complex ecosystem consisting of on-premises and cloud-based technologies. Vulnerabilities and misconfigurations are an invasive species of the technology world.
In nature, a healthy ecosystem requires a delicate balance of plants and organisms who all support one another. An invasive species that disrupts this balance can destroy crops, contaminate food and water, spread disease, or hunt native species. Without controlling the spread of invasive species, the natural ecosystem is at risk of extinction.
Similarly, the rapid adoption of cloud technologies and remote work models expands the organization’s attack surface by introducing difficult-to-manage vulnerabilities and misconfigurations. Traditional CMDBs and their associated tools often fail to provide the necessary insights for mitigating risk, remediating issues, and maintaining compliance with internal controls.
In the average IT environment, the enterprise may combine any of the following tools:
IT Asset Management: identify technology assets, including physical devices and ephemeral assets like virtual machines, containers, or cell phones
ITSM: manage and track IT service delivery activities, like deployments, builds, and updates
Endpoint Management: manage and track patches, operation systems (OS) updates, and third-party installed software
Vulnerability scanner: scan networks to identify security risks embedded in software, firmware, and hardware
CMDB: store information about devices and software, including manufacturer, version, and current settings and configurations
Software-as-a-Service (SaaS) configuration management: monitor and document current SaaS settings and configurations
Meanwhile, various people throughout the organization need access to the information that these tools provide, including the following teams:
IT operations
Vulnerability management
Security
Compliance
As the IT environment expands and the organization collects more security data, the delicate balance between existing tools and people who need data becomes disrupted by newly identified vulnerabilities and cloud configuration drift.
Automatically updating the CMDB with enriched data
In nature, limiting an invasive species’ spread typically means implementing protective strategies for the environment that contain and control the non-native plant or organism. Monitoring, rapid response, public education, and detection and control measures are all ways that environmentalists work to protect the ecosystem.
In the IT ecosystem, organizations use similar activities to mitigate risks and threats arising from vulnerabilities and misconfigurations. However, the time-consuming manual tasks are error-prone and not cost-efficient.
Connect data and technologies
A security data fabric ingests data from security and IT tools, automating and normalizing the inputs so that the organization can gain correlated insights from across a typically disconnected infrastructure. With a vendor agnostic security data platform connecting data across the environment, organizations can break down silos created by various schemas and improve data’s integrity.
Improve data quality and reduce storage costs
By applying extract, transform, and load (ETL) pipelines to the data, the security data fabric enables organizations to store and load raw and optimized data. Flattening the data can reduce storage costs since companies can land it in their chosen data repository, like a data lake or warehouse. Further, the data transformation process identifies and can fix issues that lead to inaccurate analytics, like:
Data errors
Anomalies
Inconsistencies
Enrich CMDB with business information
Connecting asset data to real-world users and devices enables organizations to assign responsibility for configuration management. Organizations need to correlate their CMDB data with asset owners so that they can assign security issue remediation activities to the right people. By correlating business information, like organizational hierarchy data, with device, vulnerability scan, and ITSM data, organizations can streamline remediation processes and improve metrics.
Gain reliable insights with accurate analytics
Configuration management is a critical part of an organization’s compliance posture. Most security and data protection laws and frameworks incorporate configuration change management and security path updating. With clean data, organizations can build analytics models to help improve their compliance outcomes. To enhance corporate governance, organizations use their business intelligence tools, like Power BI or Tableau, to create visualizations so that senior leadership teams and directors can make data-driven decisions.
Maintain Your CMDB’s delicate ecosystem with DataBee®
DataBee from Comcast Technology Solutions is a security data fabric that ingests data from traditional sources and feeds then supplements that with business logic and people information. The security, risk, and compliance platform engages early and often throughout the data pipeline leveraging metadata to adaptively collect, parse, correlate, and transform security data to align it with the vendor-agnostic DataBee-extended Open Cybersecurity Framework Schema (OCSF).
Using Comcast’s patent-pending entity resolution technology, DataBee suggests potential asset owners by connecting asset data to real-world users or devices so organizations can assign security issue remediation actions to the right people. With a 360 view of assets and devices, vulnerability and remediation management teams can identify critical and low-priority entities to help improve mean time to detach (MTTD) and mean time to respond (MTTR) metrics. The User and Device tables supplement the organization’s existing CMDB and other tools, so everyone who needs answers has them right at their fingertips.
Read More
Continuous controls monitoring (CCM): Your secret weapon to navigating DORA
Financial institutions are a critical backbone of the local and geographical – and world – economy. As such the financial services industry is highly regulated and often faces new compliance mandates and requirements. Threat actors target the industry because it manages and processes valuable customer personally identifiable information (PII) such as account, transaction, and behavioural data.
Maintaining consistent operations is critical, especially in an interconnected, global economy. To standardise processes for achieving operational resilience, the European Parliament passed the Digital Operational Resilience Act (DORA).
What is DORA?
DORA is a regulation passed by the European Parliament in December of 2022. DORA applies to digital operational resilience for the financial sector. DORA entered into force in January of 2023, and it applies as of January 17, 2025.
Two sets of rules, or policy products, provide the regulatory and implementation details of DORA. The first set of rules under DORA were published on January 17, 2024, and consist of four Regulatory Technical Standards (RTS) and one Implementing Technical Standard (ITS). It is worth noting that not all the RTSes contain controls that financial entities need to implement. For example, JC 2023 83, the “Final Report on draft RTS on classification of major incidents and significant cyber threats,” provides criteria for entities to determine if a cybersecurity incident would be classified as a “major” incident according to DORA. The public consultation on the second batch of policy products is completed, and the feedback is being reviewed prior to publishing the final versions of the policies. Based on the feedback received from the public, the finalised documents will be submitted to the European Commission July 17, 2024.
What is Continuous Controls Monitoring (CCM), and how can it help?
DORA has a wide-ranging set of articles, many of which require the implementation and monitoring of controls. Organisations can use a continuous controls monitoring (CCM) solution, which is an emerging governance, risk and compliance technology, to automate controls monitoring and reduce audit cost and stress. When choosing a CCM solution for DORA, consider a data fabric platform that brings together data from enterprise IT and cybersecurity tools and enriches it with business data to help organisations apply data analytics for measuring and reporting on the effectiveness of internal controls and conformance to laws and regulations. The following are examples of how CCM could be used to support DORA compliance.
Continuous Monitoring:
Article 9 of DORA, Protection and prevention, explains that to adequately protect Information and Communication Technologies (ICT) systems and organise response measures, “financial entities shall continuously monitor and control the security and functioning of ICT systems.” Similarly, Article 16, Simplified ICT risk management framework, requires entities to “continuously monitor the security and functioning of all ICT systems.”
Additionally, Article 6 requires financial entities to “minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools.” It goes on to require setting clear objectives for information security that include Key Performance Indicators (KPIs), and to implement preventative and detective controls. Reporting on the implementation of multiple controls, combining compliance data with organizational hierarchy, and reporting on KPIs are all tasks that CCM excels at. When choosing a CCM solution for DORA, consider one that supports uninterrupted oversight of multiple controls by automating the ingestion of data, formatting it, and then presenting it to users through the business intelligence solution of their choice.
The Articles of JC 2023 86 the “Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework” contain many ICT cybersecurity requirements that are a natural fit to be measured by CCM. Here are some examples of these controls:
Asset management: entities must keep records of a set of attributes for their assets, such as a unique identifier, the owner, business functions or services supported by the ICT asset, whether the asset is or might be exposed to external networks, including the internet, etc.
Cryptographic key management: entities need to keep a register of digital certificates and the devices that store them and must ensure that certificates are renewed prior to their expiration.
Data and system security: entities must select secure configuration baselines for their ICT assets as well as regularly verifying that the baselines are in place.
A CCM solution that is built on a platform that correlates technical and business data supports security, risk, and compliance teams for building accurate, reliable reports to help measure compliance. It provides consistent visibility into control status across multiple teams throughout the organisation. This reduces the need for reporting controls in spreadsheets and in multiple dashboards, helping business leaders make more immediate and data-driven governance decisions about their business.
Executive Oversight:
Financial entities are required to have internal governance to ensure the effective management of ICT risk (Article 5, Governance and organisation). CCM solutions that integrate with business intelligence solutions, like Power BI and Tableau, to build executive dashboards and data visualizations can provide an overview of multiple controls through a single display.
Roles and Responsibilities:
DORA Article 5(2)) requires management to “set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions.” A CCM solution that combines organisational hierarchy with control compliance data makes roles and responsibilities explicit, which helps improve accountability across risk, management, and operations teams. That is, a manager using CCM does not have to guess which assets or people that belong to their organisation are compliant with corporate policy, or regulations. Instead, they can easily view their compliance status.
CCM dashboards and detail views provide the specifics about any non-compliant assets such as the asset name, and details of the controls for which the asset is non-compliant. Similarly, CCM can communicate details about compliance for a manager’s staff, such as if mandatory training has been completed by its due date, or who has failed phishing simulation tests.
Coordination of multiple teams:
As the FS-ISAC DORA Implementation Guidance notes, “DORA introduces increased complexity and requires close cross-team collaboration. Many DORA requirements cut across teams and functions, such as resilience/business continuity, cybersecurity, risk management, third-party and supply chain management, threat and vulnerability management, incident management and reporting, resilience and security testing, scenario exercising, and regulatory compliance. As a result, analysing compliance and checking for gaps is challenging, particularly in large firms.”
CCM helps with cross-team collaboration by providing a common, accurate, and consistent view of compliance data, which can reduce overall compliance costs. That is, GRC teams are not tasked with creating and distributing multiple reports for various teams and trying to keep the reports consistent, and timely. Or business teams are no longer responsible for pulling their own reports, overcoming issues with inconsistent or inaccurate reporting from inexperience with the product creating the report, reports being run with different parameters or on different dates, or other differences or errors. CCM helps resolve this issue because it makes the same content, using consistent source data from the same point in time, available to all users.
5 ways how DataBee can help you navigate DORA
The requirements for DORA are organised under these five pillars. How does DataBee help enterprises to comply with each of the five?
1. Information and Communication Technologies (ICT) risk management requirements (which include ICT Asset Management, Vulnerability and patch management, etc.)
DataBee’s Continuous Controls Monitoring (CCM) delivers continuous risk scores and actionable risk mitigation, helping financial entities to prioritize remediation for at-risk resources.
2. ICT-related incident reporting
DORA identifies what qualifies as a “major incident” and must therefore be reported to competent authorities. This is interesting compared to cybersecurity incident reporting requirements from the U.S. Securities and Exchange Commission (SEC) which are based on materiality, but do not provide details about what is or is not material. DORA includes criteria to determine if the incident is “major.” Some examples are if more than 10% of all clients or more than 100,000 clients use the affected service, or if greater than 10% of the daily average number of transactions are affected. Additionally, if a major incident does need to be reported, DORA includes specific information that financial entities must provide. These include data fields such as date and time the incident was detected, the number of clients affected, and the duration of the incident. A security data fabric such as DataBee can help to provide many of the measurable data points needed for the incident report.
3. ICT third-party risk
DataBee for CCM provides dashboards to report on the controls used for the management and oversight of third-party service providers. These controls are implemented to manage and mitigate risk due to the use of third parties.
4. Digital operational resilience testing (Examples include, vulnerability assessments, open-source analyses, network security assessments, physical security reviews, source code reviews where feasible, end-to-end testing or penetration testing.)
DORA emphasizes digital operational resilience testing. DataBee supports this by aggregating and simplifying the reporting for control testing and validation. DataBee’s CCM dashboards provide reporting for multiple controls using an interface that is easily understood, and which business managers can use to readily assess their unit’s compliance with controls required by DORA.
5. Information sharing
As with incident reporting, the data fabric implemented by DataBee supports information sharing. DataBee can economically store logs and other contextual data for an extended period. DataBee makes this data searchable providing the ability to locate, and at the organization’s discretion, exchange cyber threat information and intelligence with other financial entities.
Read More
100% exciting, 100 people strong (and growing)
When you join an organization the size of Comcast, it’s easy for outsiders to see only “Fortune 29 Company!” or “huge enterprise!”. But tell that to the DataBee team – we’ve been in start-up land since October 2022. And it’s been an exciting ride!
DataBee® is a security, risk and compliance data fabric platform inspired by a platform created internally by Comcast’s global CISO, Noopur Davis, and her cybersecurity and GRC teams. They got such amazing results from the platform that they built and operated for 5 years—from cost savings to faster threat detection and compliance answers, to name a few—that Comcast executives saw the potential to create a business around this emerging technology space. What could provide a better product market fit than real business outcomes from a large, diversified global enterprise data point?
That was back in 2022, and the beginning of the DataBee business unit, which was built and created within Comcast Technology Solutions to bring this security data fabric platform to market. Initially funded with just enough to begin testing the market, it didn’t take long to realize that the opportunity for DataBee was auspicious, and substantial additional financing was provided by Comcast’s CEO in May 2023. One year after raising substantial additional financing from Comcast, I’m proud to say that DataBee has passed the 100-team-member milestone (and growing). I believe it's one of the most exciting cybersecurity start-ups out there. Times ten. (Ok, that’s my enthusiasm spilling over 😉.)
As challenging as fundraising is, staffing a team as large and talent diverse as DataBee has been no small feat, and we’ve done it relatively quickly - across three continents and five countries, no-less. Part of that challenge has been overcoming preconceived notions of who and what Comcast is, especially when you’re recruiting people from the cybersecurity industry. “Wait, what??? Comcast is in the enterprise security business??!!” Yes!
Here's what I’ve learned about hiring on the scale-up journey:
Focus on the mission. Your mission can be the most attractive thing about your business, especially when you’ve zeroed in on addressing an unmet need in the market. In the case of DataBee, our mission has been to connect security data so that it works for everyone. So many talents on the DataBee team have been compelled by the idea of solving the security data problem – too much data, too dispersed, in too many different formats to provide meaningful insights quickly to anyone who needs them. To play a role in fixing this problem? It’s intoxicating.
Look for people who seek the opportunity for constant learning and creativity. “Curiosity” appears at the top of the list of essential qualities in a successful leader, and I understand why. I think of curiosity as a hunger for constant learning and creativity, as well as the courage to explore uncharted territory, and these have been qualities I’ve been looking for as I staff up the DataBee team. These traits aren’t reserved for leaders only; I see them in practice across the whole team, from individual contributors all the way up to department leaders, and I know it’s having a big impact on our ability to rapidly innovate and build solutions that matter. (High energy doesn’t hurt either!)
Be a kind person. The number one thing I hear from my new hires is that they are taken aback by what a nice team I have. This makes me very happy and a little sad all at the same time: happy because I love knowing that the “be a kind person” rule is being put into practice across the DataBee team, but sad because it means that some of our new hires have not experienced kindness in previous jobs. Kindness and competency are not mutually exclusive things, and an environment of benevolence can foster creativity and success.
The funding we’ve received, and the strength, size, and rapid growth of the DataBee team is a testament to the fact that we’ve identified and are working to solve a very real problem being faced by many organizations – data chaos. It’s a problem that exists especially in security, but the rabid interest in artificial intelligence (AI) reminds us that we need to look beyond security data to all data, to ensure that good, clean, quality data is feeding AI systems. For AI to really work its magic, it needs quality data training so that it can deliver amazing experiences.
DataBee is 100 strong and growing, and our security data fabric platform, which is already helping customers manage costs and drive efficiencies, keeps evolving so it can help organizations continue the “shift left” to the very origins of their data. The goal is that quality data woven together, enriched, and delivered by DataBee will ultimately fuel AI systems and help business and technology leaders across the spectrum glean the insights they need for security, compliance, and long-term viability.
Read More
DataBee's guide to sweetening your RSAC experience
Noopur Davis, Comcast’s Chief Information Security Officer recently talked about bringing digital transformation to cybersecurity, where she stated, “The questions we dare to ask ourselves become more audacious each day.” In cybersecurity, this audacity is the spark that ignites innovation. By embracing bold questions answered by connected security data, we can unlock new ideas that transform how we defend our digital world.
This is particularly fitting as the theme for this year's RSA Conference is "The Art of Possible”. With data being so abundant, it’s essential to have immediate and continuous insights to be data-directed when making business decisions and staying ahead of today’s threats, to better enable you in foreseeing tomorrow’s challenges.
Organizations, however, still struggle to pull together and integrate security data into a common platform. This year Techstrong research surveyed cybersecurity professionals in a Pulsemeter report that shares a glimpse into security data challenges and how security data fabrics herald a new era in security data management. According to the survey, 44% of respondents have 0-50% of their security data integrated. This can result in:
Lack of visibility into security and compliance programs
Data explosions and silos
Challenges with evolving regulations and mandates
Difficulties performing analytics at scale
Exorbitant data storage and computing costs
DataBee® from Comcast Technology Solutions can help overcome these challenges and assist in regaining control over your security data. The DataBee Hive Platform has brought technology to the market that can help with automating data ingestion, validating data quality, and lowering processing costs. This can lead to:
Improved collaboration by working on the same data set
More immediate and connected security data insights
More consistent and accurate compliance dashboards
Better data to power your AI initiatives and capabilities
DataBee is excited to participate in RSAC 2024 and help you achieve these outcomes for your organization.
Where to meet DataBee in Moscone Center
We're thrilled to showcase the DataBee Hive; a security, risk, and compliance data fabric platform designed to deliver connected security data that works for everyone. Buzz by Moscone North Hall and visit our booth #5278. We’ll be showcasing:
How to cost-optimize your SIEM
Reduce security audit stress
Make your CMDB more complete
Get a 360-degree activity view of any asset or user
And more!
Is the expo floor too busy or noisy? You can meet us one-on-one at Marriott Marquis by reserving a more personal conversation with the team.
Make you and RSA Conference a reality
Here's the deal: we want you there! DataBee has two fantastic options to help you attend, claim your ticket here at the RSA Conference website:
🎟️ Free RSA Conference Expo Pass: 52ECMCDTABEXP
🎟️ Discounted Full RSA Conference Pass - Save $150 with code: 52FCDCMCDTABE
Snowflake, DataBee, and Comcast
But wait, there's more! Join us for an evening of conversations, networking, and relaxation at our reception on May 8th, co-hosted with Comcast Ventures, Comcast Business, and Snowflake.
Date: Wednesday, May 8th, 2024
Time: 5:00 pm - 7:00 pm
After you register, keep an eye out for your confirmation email, which will include all the insider details on where to find us. This is your chance to unwind, network with fellow attendees, and forge valuable connections in a more relaxed setting. Register here to secure your spot and receive the location details.
Let's make your RSAC experience the best yet!
The DataBee team is eager to meet you and explore ways we can contribute to your organization's security data maturity journey. We invite you to visit us at booth #5278, network with us at the private reception, grab a photo with our mascot, and snag some bee-themed giveaways! We look forward to seeing you there!
Read More
All SIEMs Go: stitching together related alerts from multiple SIEMs
Today’s security information and event management (SIEMs) platforms do more than log collection and management. They are a critical tool used by security analysts and teams to run advanced security analytics and deliver unified threat detection and search capabilities.
A SIEM’s original purpose was to unify security monitoring in a single location. Security operation centers (SOCs) could then correlate event information to detect and investigate incidents faster. SIEMs often require specialized skills to fine-tune logs and events for correlation and analysis that is written in vendor-specific and proprietary query languages and schemas.
For some enterprises and agencies, it is not uncommon to see multiple SIEM deployments that help meet unique aspects of their cybersecurity needs and organizational requirements. Organizations often need to:
federate alerts
connect related alerts
optimize their SIEM deployments
Managing multiple SIEMs can be a challenge even for the most well-funded and skilled security organizations.
The business case for multiple SIEMs
For a long time, SIEMs worked. However, cloud adoption and high-volume data sources like endpoint detection and response (EDR) tools threw traditional, on-premise SIEMs curveballs. Especially when considering the cost of ingestion-based pricing and on-premise SIEM storage.
While having one SIEM to rule them all (your security logs) is a nice-to-have, organizations often find themselves managing a multi-SIEM environment for various reasons, including:
Augmenting an on-premises SIEM with Software-as-a-Service (SaaS) solutions to manage high-volume logs.
Sharing a network infrastructure with a parent company managing its SIEM while needing visibility into subsidiaries managing their own.
Acquiring companies through mergers and acquisitions (M&A) that have their own SIEMs.
Storing log data’s personally identifiable information (PII) in a particular geographic region to comply with data sovereignty requirements.
Multiple SIEM aggregation with DataBee
Complexity can undermine security operations by causing missed alerts or security analyst alert fatigue. DataBee® from Comcast Technology Solutions ingests various data sources, including directly from SaaS and on-premises SIEMs, stitching together related event context or alerts to help streamline the identification and correlation process. Alerts are enriched with additional logs and data sources, including business context and asset and user details. With a consistent and actionable timeline across SIEMs, organizations can optimize their investments and mature their security programs.
Normalization of data
An organization with SaaS and on-premises SIEM deployments may want to federate alerts and access to the data through the multiple SIEMs. This can be difficult to aggregate notable events during investigations.
DataBee can receive data from multiple sources including SaaS and on-premises SIEMs. DataBee normalizes the data and translates the original schema into an extended Open Cybersecurity Schema Framework (OCSF) format before sending it to the company’s chosen data repository, like a security data lake. By standardizing the various schemas across multiple SIEMs, organizations can better manage their detection engineering resources by writing rules once to cover multiple environments.
Enhanced visibility and accountability
With proprietary and patent-pending entity resolution technology, DataBee EntityViews ties together the various identifiers for entities, like users and devices, then uses a single identifier for enrichment into the data lake. With entity resolution, organizations can automatically correlate activity across numerous sources together and use that both in entity timelines as well as UEBA models.
Cost optimization for high-volume data sources
The adoption of cloud technologies and endpoint detection and response (EDR) have considerably impacted SIEM systems, creating a notable challenge due to the sheer volume of data generated. This surge in data stems from EDR's comprehensive coverage of sub-techniques, as outlined in the MITRE ATT&CK framework. While EDR solutions offer heightened visibility into endpoint activities, this influx of data overwhelms traditional SIEM architectures. This leads to performance degradation and the inability to effectively process and analyze events. However, leveraging the cost-effective storage solutions offered by data lakes presents a viable solution to this conundrum.
By utilizing data lakes, organizations can store vast amounts of EDR data at scale. This approach can not only alleviate the strain on SIEM systems. but also facilitate deeper analysis and correlation of security events. This empowers organizations to extract actionable insights and bolster their cyber defense strategies. Thus, integrating EDR with data lakes emerges as a promising paradigm for managing the deluge of security data while maximizing its utility in threat detection and response.
Real-Time detection streams
DataBee uses vendor-agnostic Sigma rules that allow organizations to get alerts for data, including forwarded data like DNS records. If the SOC team wants to receive alerts without having to store the data in the SIEM, the detections can be output into the data lake or any SIEM or security orchestration, automation, and response (SOAR) solution, including the original SIEM forwarding the data. By building correlated timelines across user activity between multiple SIEMs, organizations can gain flexibility across SIEM vendors so they can swap between them or trade them out, choosing the best technologies for their use cases rather than the ones that integrate better with current deployments.
Ready to bring together related alerts from multiple SIEMs? Let's talk!
Read More
Seeing the big (security insights) picture with DataBee
The evolution of digital photography mimics the changes that many enterprise organizations face when trying to understand their cybersecurity controls and compliance posture. Since the late 1990s, technology has transformed photograph development from an analog, manual process into a digital, automated field. These images hold our memories, storing points in time that we can look back on and learn from. Cybersecurity, in turn, is experiencing a similar transformation.
When you consider the enterprise data pipeline problem that DataBee® from Comcast Technology Solutions aims to solve through the everyday lens of creating, storing, managing, and retrieving personal photos, the platform’s evolutionary process and value makes more sense.
Too many technologies generating too much historical data
Portable, disposable Kodak cameras were all the rage in the 1990’s; but it could be days or weeks before you could see what you snapped because films needed to be sent for processing.
Over the 2000s, however, these processes increasingly turned digital, accelerating results dramatically. While high-quality, professional-grade digital cameras aren’t in danger of becoming obsolete, once cell phones with integrated cameras hit the market, they became an easy on-the-go way to capture life’s historical moments even though the picture might not develop until days, weeks, or maybe never as they’re left on the roll of film. Today, people use their smartphone devices lending even more depth and quality as we capture from family gatherings to vacation selfies instantly.
At Comcast, we faced a similar enterprise technology and security data problem. Just as people handle different kinds of images and the technologies that produce them, we have vast amounts of technologies that generate security data. It’s a fragmented, complicated environment that needs to handle rapidly expanding data.
Across the enterprise, Comcast stores and accesses increasingly larger amounts of data, including:
8000 month-by-month scans
1.7 million IPS targeted monthly for vulnerability scanning
7 multiple clouds or hybrid cloud environment
10 petabytes worth of data in our cybersecurity data lake
109 billion monthly application transactions
Finding the right moment in time
Let’s play out a scenario: You let your friend in on a stage in your life where you had bright red hair. Their response? “Pics or it didn’t happen.” To track down the historic photo, it takes immense effort to:
Figure out the key context about where and when it was captured.
Find the source of where the photo could be – is it in a hard drive? A cloud photo album? A tagged image in your social media profile?
Identify the exact photo you need within the source (especially if it is not labeled).
Comcast faced a similar data organization and correlation problem in their audits and their threat hunting. While we were drowning in data, we found that at the same time we were starved for insights. We were trying to connect relevant data to help build a timeline of activity of a user or device but as the data kept growing and security tools kept changing, we found data was incomplete or took weeks' worth of work to normalize and correlate data.
We faced many challenges when trying to answer questions and fractured data sources compounded this problem. Some questions we were asking were – do all the employees have their EDR solution enabled? Is there a user with the highest number of security severities associated to them across all their devices? And on answering these questions quickly and accurately, such as:
People maintaining spreadsheets that become outdated as soon as they’re pulled.
People building Power BI or Tableau reports without having all the necessary data.
Reports that could only be accessed from inside an applications console, limiting the ability to connect them to other meaningful security telemetry and data.
Auditing complex questions can be unexpectedly expensive and time consuming because data is scattered across vast, siloed datasets.
Getting security insights
Going back to the scenario where pictures are stored on all these disparate devices, it initially seems like a reasonable solution to just consolidate everything on an external hard drive. But, to do that, you must know each device’s operating system and how to transfer the images over. They differ in file size, filetype, image quality, and naming convention. While one camera dates a photo as “Saturday January 1, 2000,” another uses “1 January 2000.” In some cases, the images contain more specific data, like hour, minute, and second. Consolidating the pictures in cloud-based storage platforms only solves the storage issues – you still have to manage the different file formats and attached metadata to organize them by the actual date a picture was taken rather than date a batch of photos were uploaded.
Translating this to the security data problem, many organizations find that they have too much data, in too many places, created at too many different times. And said data are in different file types, unique formats, and other proprietary ways of saying the same thing. Consolidating and sorting data becomes chaotic.
As a security, risk, and compliance data fabric platform, DataBee ingests, standardizes, and transforms the data generated by these different security and IT technologies into a single, connected dataset that’s ready for security and compliance insights. This is surprisingly like adding a picture to your “Favorite” folder for easy access. Organizations need to accurately and quickly answer questions about their security and compliance.
The objective at Comcast was to solve the challenge of incomplete and inaccurate insights caused by siloed data stores. DataBee provides the different security data consumers access to analytics-derived insights. The end result enables consistent, data-driven decision making across teams that need accurate information about data security and compliance, including:
Chief Information Security Officer (CISO)
Chief Information Officer (CIO)
Chief Technology Officer (CTO)
Chief Data Officer (CDO)
Governance, Risk, and Compliance (GRC) function
Business Information Security Officer (BISO)
While those people need the insights derived from the platform, we also recognized that the regular users would inhabit many roles:
Threat hunters
Data engineers
Data scientists
Security analytics and engineering teams
To achieve objectives, we started looking at the underlying issue - the data, its quality, and its accessibility. At its core, DataBee delivers ready-to-use content and is a transformation engine that ingests, autoparses, normalizes, and enriches security data with business context. DataBee’s ability to normalize the data and land it in a data lake enables organizations to use their existing business intelligence (BI) tools, like Tableau and Power BI, to leverage analytics and create visualizations.
Transforming data creates a common “language” across:
IT tools
Asset data
Organizational hierarchy data
Security semantics aren’t easy to learn – it can take years of hands-on knowledge on a variety of toolsets. DataBee has the advantage of leveraging learnings from Comcast to create proprietary technology that parses security data, mapping columns and values to references in the Open Cybersecurity Framework (OCSF) schema while also extending that schema to fill in currently existing gaps.
Between our internal learnings and working with customers, DataBee delivers pre-built dashboards that accelerate the security data maturity journey. Meanwhile, customers who already have dashboards can still use them for their purposes. For example, continuous controls monitoring (CCM) dashboards aligned to the Payment Card Industry Data Security Standard (PCI DSS) and National Institute of Technology and Standards Cybersecurity Framework (NIST CSF) offer a “quick start” for compliance insights.
DataBee can help customers achieve various security, compliance, and operational benefits, including:
Reduced security data storage costs by using the Snowflake and Databricks
Gaining insights and economic value by leveraging a time-series dataset
Real-time active detection streams with Sigma rules that optimize SIEM performance
Asset discovery and inventory enrichment to identify and suggest appropriate ownership
Weave together data for security and compliance with DataBee
Want to see DataBee in action and how we can help you supercharge your security, operations, and compliance initiatives? Request a custom demo today.
Read More
Bridging the GRC Gap
Misconceptions and miscommunications? Not with continuous controls monitoring from DataBee. Learn how you can reduce audit costs and improve security outcomes.
Read More
The DataBee Hive hits Orlando for the 2024 Gartner® Data & Analytics Summit
In a great blog on bringing digital transformation to cybersecurity, Comcast CISO Noopur Davis wrote, “Data is the currency of the 21st century — it helps you examine the past, react to the present, and predict the future.” Truer words were never written.
No doubt that’s why we think Gartner created the Gartner Data & Analytics Summit — to bring together data and analytics leaders “aspiring to transform their organizations through the power of data, analytics, and AI.”
DataBee® from Comcast Technology Solutions is all about facilitating that transformation. The DataBee Hive™, a cloud-native security, risk, and compliance data fabric platform, helps organizations transform how they collect, correlate, and enrich data to deliver the deep insights needed to drive efforts to remain competitive, secure, and compliant. It works by connecting disparate data sources and feeds to merge them with an organization’s data and business logic to create a shared and enhanced dataset that delivers continuous compliance assurance, proactive threat detection with near-limitless hunts, and improved AIOps — all while optimizing data costs.
This is why we’re incredibly excited to be participating in the 2024 Gartner Data & Analytics Summit for the first time. We’re looking forward to the conference sessions but even more to engaging with attendees to hear firsthand what their data, analytics, and AI challenges are and to share what we’ve learned on the path to creating the DataBee security data fabric platform.
Below are details on DataBee’s involvement in the conference — please pay us a visit at the show.
Speaking, exhibiting, and giving out the cutest plushie at the show.
The Gartner Data & Analytics Summit takes place March 11‒13, 2024, in Orlando at the Walt Disney World Swan and Dolphin Resort in Lake Buena Vista.
The Comcast Speaking Session
Comcast DataBee: Democratizing AI With a Foundation in Enterprise & Security Data
March 12 at 12:45‒1:05 pm
Location: Theater 4, Exhibit Showcase
Speaker: Rick Rioboli, Executive Vice President & Chief Technology Officer, Comcast Cable
Session description:
For more than a decade, Comcast has incorporated AI into our products and operations, going beyond personalized content to increase customer accessibility and protect against cyberattacks. To keep pace with industry disruptors and drive more AI innovations, Comcast launched AI Everywhere. The initiative aims to reduce friction when developing safe, secure, and scalable AI solutions throughout the business. Part of that is getting data AI-ready.
Join this session to learn three key components of bringing AI to more people and how combining security data can drive more value across the enterprise.
DataBee exhibit
Be sure to visit the Comcast Technology Solutions DataBee exhibit. We can be found in Booth 618, in the Data Management Tools and Technology Village. We’ll have some of our top “bees” on hand to talk data, analytics, AI, and how a security data fabric platform can help you connect security and compliance data for insights that work for everyone in your organization.
Plus, who doesn’t love a cute plushie to take home? We’ll be giving these away at our booth.
To learn more about DataBee in just a few short minutes, check out this quick and fun explainer video or download the DataBee Hive datasheet.
If you’d like to schedule a specific time to meet during the event, we’d love it. Contact us, and we’ll follow up right away to book a time.
We hope to see you in Orlando!
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. While Gartner is hosting the Gartner Conference, Gartner is not in any way affiliated with Exhibiting Company or this promotion, the selection of winners or the distribution of prizes. Gartner disclaims all responsibility for any claims that may arise hereunder.
Read More
3 Hot Takes on Cybersecurity: SIEMs, GenAI, and more
Missed our Cybersecurity Hot Takes webinar? Lucky for you, you can watch the on-demand recording now!
We dived into cybersecurity’s burning questions with Roland Cloutier, former CISO at Tiktok and ADP, Edward Asiedu, Senior Principal of Cybersecurity Solutions at DataBee, and Amy Heng, Director of Product Marketing at DataBee®. They shared their hot takes and insights related to tools, data, and people in the cybersecurity landscape. As they indulged in hot wings, the discussions ranged from the relevance of Security Information and Event Management (SIEM) tools to the transformative potential of Generative Artificial Intelligence (Gen AI).
Here’s what can expect to learn more about:
The Decline of SIEM Tools: Roland predicted the decline of traditional SIEM tools. He argued that the current SIEM solutions are becoming obsolete due to the evolving nature of cybersecurity. The complexity of cyber risks and privacy issues demands a more sophisticated approach that goes beyond the capabilities of conventional SIEM tools. Instead, Roland emphasized the need for a data fabric platform to fill the void left by traditional SIEMs.
Vendor-Specific Query Languages: To Learn or Not to Learn? Edward highlighted the drawbacks of forcing engineers to learn multiple query languages for different security tools. Both Edward and Roland expressed a preference for standardized approaches like SQL or Sigma rules, which makes detecting threats faster and closing the cybersecurity skills gap.
Gen AI and how to operationalize it for cybersecurity: Gen-AI is a rising start in the cybersecurity landscape. Contrary to the fear of a robot revolution, Roland envisioned Gen AI as a powerful tool for enhancing security risk and privacy operations. He emphasized its potential to automate tasks such as incident response, analytics, and investigation, significantly reducing the time and resources required for these activities.
Besides the hot wings being spicier with each question, it’s clear that the cybersecurity landscape is evolving rapidly. Traditional tools like SIEM are on the decline, making way for more adaptable solutions that bring security data insights to more people. The shift towards standardized query languages and the integration of AI, particularly Gen AI, promises a future where cybersecurity operations are more efficient, automated, and capable of handling the ever-growing volume of data.
Why not hear more hot takes? Catch the webinar on-demand today.
Read More
Squeaky Clean: Security Hygiene with DataBee
Enterprises have an ever-growing asset and user population. As organizations become more complex thanks to innovation in technology, it becomes increasingly difficult to track all assets in the environment. It's difficult to secure a user or device you may not be aware of. DataBee can augment and complement your configuration management database (CMDB) by enhancing the accuracy, relevance, and usability of your asset, device, and user inventory, unlocking 3 primary use cases for security teams:
Security Hygiene
Owner & Asset Discovery
Insider Threat Hunting
Security Hygiene
DataBee for Security Hygiene can help deliver more accurate insights into the assets in your environment while automatically keeping your asset inventory up-to-date and contextualized. Bringing more clarity about your users and devices in your environment, enables your business to enhance its security coverage, reduces manual processes, increases alerts’ accuracy, and more rapidly responds to incidents.
Security hygiene uses entity resolution, a patent pending technology from Comcast, to create a unique identifier from a single data source or across multiple data sources that refer to the same real-world entity, such as a user or device. This technique is performed by DataBee helps reduce the manual entity correlation efforts by analysts, and the unique identifiers can be used to discover assets and suggest missing owners.
DataBee supports ingestion from multiple data sources to help keep your security hygiene in check, including a variety of traditional sources for asset management such as your CMDB, directory services, and vulnerability scanner. It also can learn about your users and devices from non-traditional data sources such as network traffic, authentication logs, and other data streamed through DataBee that contains a reference to a user or device.
DataBee can also be used to exclude data sources and feeds from entity resolution that provide little fidelity for entity-related context and support feed source prioritizations. These inputs are used when there is collision or conflicting information. For example, if a device is first seen in network traffic, preliminary information about the device will be added to DataBee such as the hostname and IP. Another example is when your CMDB updates a device’s IP. DataBee will use this update to overwrite the associated IP if the CMDB feed is prioritized over the network traffic information.
Owner and Asset Discovery
Organizations often struggle to assign responsibility for resolving security issues on assets or devices, many times due to unclear ownership caused by gaps in the asset management process, such as Shadow IT and orphaned devices. DataBee can provide a starting point to identifying and validating the owner of a device. When a new device is discovered or the owner is not indicated in CMDB, DataBee will leverage the events streaming through the platform to make a suggestion of the potential owners of the asset. The system tracks who logs into the device for seven days after discovery and uses statistical analysis to suggest up to the three most likely owners.
The Potential Owners are listed in the Entity Details section of the Entity View page that can be expanded to quickly validate the ownership. Once security analysts are able to validate the owner, the system of record can be updated and DataBee will receive the update.
As organizations become more complex thanks to innovation in technology, it can become increasingly difficult to track all assets in the environment. DataBee provides User and Device tables to supplement existing tools. Orphaned assets remain unknown and often unpatched, creating unmonitored levels of increasing risk. Shadow IT is a growing problem as more cloud-based solutions become easily accessible. Entity resolution maintains an inventory of known assets in your organization. This enables continuous discovery of assets that would otherwise slip through the cracks based on events streamed through DataBee.
Insider Threat Hunting
Insider threats are people, such as employees or contractors, with authorized access to or knowledge of an organization’s resources, that can cause potential harm arising from purposeful or accidental misuse of authorized user access. This can have negative effects on the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. Insider threats are often able to hide in plain sight for many reasons. There is complexity in cross-correlating logs of an individual's activities across various tools and products. Further, the data is siloed, making it difficult for security analysts to see the full picture. DataBee’s security, risk, and compliance data fabric platform weaves together events as they stream through the business context needed to identify insider threats.
DataBee leverages entity resolution to create an authoritative and unique entity ID using data from across your environment that is mapped to real people and devices to enable hunting for insider threats in your organization. Entity resolution aggregates information from multiple data sources, merges duplicate entries, and suggests potential owners for devices and assets. By correlating and enriching the data before storing it in your data lake, DataBee creates an entity timeline, associating each event with the correct entity at the time of its activity.
These views enable insider threat hunting by allowing security analysts to see the activities conducted by a user and the related business context in a single view to identify potential malicious behavior. The interactive user experience is intended to make leveraging the Open CyberSecurity Framework (OCSF) formatted logs more accessible to all security professionals. Within the Event Timeline, security analysts can filter the events based on type to focus investigations. Clicking on the event will show the mission critical fields needed to decide if the event is interesting. Clicking on the magnifying glass icon allows you to inspect the full event. DataBee enables one-click pivoting to related entities to simplify diving deeper into the investigation. The views are powered by the data in the data lake. Therefore, the data is available in OCSF format for threat hunters to continue their investigations in traditional tools like Jupyter notebooks to meet hunters where they are with their data.
Take a look under the hood of DataBee v2.0 and DataBee for Security Hygiene
Are you ready for an enterprise-ready security, risk, and compliance data fabric? Request a custom demo to see how DataBee uses a unique identifier that can be used to augments your CMDB and help deliver more accurate insights into the assets in your environment.
Read More
Finding security threats with DataBee from Comcast Technology Solutions
Last week, DataBee® announced the general availability of DataBee v2.0. Alongside a new strategic technology partnership with Databricks, we released new cybersecurity and Payment Card Industry Data Security Standard (PCI DSS) 4.0 reporting capabilities.
In this blog, we’ll dive into the new security threat use cases that you can unlock with a security, risk, and compliance data fabric platform.
DataBee for security practitioners and analysts
In security operations, detecting incidents in a security information and event management (SIEM) tool is often described as looking for a needle in a haystack of logs. Another fun (or not-so-fun) SIEM metaphor is a leaky bucket.
In an ideal world, all security events and logs would be ingested, parsed, normalized, and enriched into the SIEM, and then the events would be cross-correlated using advanced analytics. Basically, logs stream into your bucket and the SIEM, and all the breaches would be detected.
In reality, there are holes in the bucket that allow for undetected breaches to persist. SIEMs can be difficult to manage and maintain. Organization-level customizations, combined with unique and ever-changing vendor formats, can lead to detection gaps between tools and missed opportunities to avert incidents. Additionally, for cost-conscious organizations, there are often trade-offs for high-volume sources that leave analysts unable to tap into valuable insights. All these small holes add up.
What if we could make the security value of data more accessible and understandable to security professionals of all levels? DataBee makes security data a shared language. As a cloud-native security, risk, and compliance data fabric platform, DataBee engages early in the data pipeline to ingest data from any source, then enriches, correlates, and normalizes it to an extended version of the Open Cybersecurity Schema Framework (OCSF) to your data lake for long-term storage and your SIEM for advanced analytics.
Revisiting the haystack metaphor, if hay can be removed from the stack, a SIEM will be more efficient and effective at finding needles. With DataBee, enterprises can efficiently divert data, the “hay,” from an often otherwise cost-prohibitive and overwhelmed SIEM. This enables enterprises to manage costs and improve the performance of mission-critical analytics in the SIEM. DataBee uses active detection streams to complement the SIEM, identifying threats through vendor-agnostic Sigma rules and detections. Detections are streamed with necessary business context to a SIEM, SOAR, or data lake. DataBee takes to market a platform inspired by security analysts to tackle use cases that large enterprises have long struggled with, such as:
SIEM cost optimization
Standardized detection coverage
Operationalizing security findings
SIEM cost optimization
Active detection streams from DataBee provide an easy-to-deploy solution that enables security teams to send their “needles” to their SIEM and their “hay” to a more cost-effective data lake. Data that would often otherwise be discarded can now be analyzed enroute. Enterprises need only retain the active detection stream findings and security logs needed for advanced analytics and reporting in the SIEM. By removing the “hay,” enterprises can reduce their SIEM operating costs.
The optimized cloud architecture enables security organizations to gain insights into logs that are too high volume or contain limited context to leverage in the SIEM. For example, DNS logs are often considered too verbose to store in the SIEM. They contain a high volume of low-value logs due to limited information retained in each event. The limited information makes the DNS logs difficult to cross-correlate with the disparate data sources needed to validate a security incident.
Another great log source example is Windows Event Logs. There are hundreds of validated open-source Sigma detections for Windows Event Logs to identify all kinds of malicious and suspicious behavior. Leveraging these detections has traditionally been difficult due to the scale required both for the number of detections and volume of data to compare it to. With DataBee’s cloud-native active detection streams, the analytics are applied as the data is normalized and enriched, allowing security teams new insights into the potential risks facing their organization. DataBee’s power and scale complement the SIEM’s capabilities, plugging some of the holes in our leaky bucket.
Analyst fatigue can be lessened by suppressing security findings for users or devices that can reduce reliability of a finding. With DataBee’s suppression capability, you can filter and take actions on security findings based on the situation. Selecting “Drop” for the action ignores the event, which is ideal for events that are known to be false positive in the organization. Alternatively, applying an “Informational” action reduces the severity and risk level of the finding to Info, still allowing the finding to be tracked for historical purposes. The Informational level is perfect for tuning that requires auditability long term. The scheduling option uses an innovative approach that gives you a way to account for recurring known events like change windows that might fire alerts or additional issues that could lead to false positives.
By applying the analytics and tuning to the enriched logs as they are streamed to more cost-effective long-term storage in the data lake, security teams can detect malicious behavior like PowerShell activity or DNS tunneling. Additionally, DataBee’s Entity Resolution not only enriches the logs but learns more about your organization from them, discovering assets that may be untracked or unknown in your network.
Standardized detection coverage
With the ever-evolving threat landscape, detection content is constantly updated to stay relevant. As such, security organizations have taken on more of a key role in content management between solutions. Compounded by the popularization of Sigma-formatted detections with both security researchers and vendors, many large enterprises are beginning their journey to migrate existing custom detections to open-source formats managed via GitHub. Sigma detection rules are imported and managed via GitHub to DataBee to quickly operationalize detection content. Security organizations can centralize and standardize content management for all security solutions, not just DataBee.
Active detection streams apply Sigma rules, an open-source signature format, over security data that is mapped to a DataBee-extended version of OCSF to integrate into the existing security ecosystem with minimal customizations. DataBee handles the translation from Sigma to OCSF to help lower the level of effort needed to adopt and support organizations on their journey to vendor-agnostic security operations. With Sigma-formatted detections leveraging OCSF in DataBee, organizations can swap out security vendors without needing to update log parsers or security detection content.
Operationalizing security findings
One of DataBee’s core principles is to meet you where you are with your data. The intent is to integrate into your existing workflows and tools and avoid amplifying the “swivel chair” effect that plagues every security analyst. In keeping with the vendor-agnostic approach, DataBee security findings generated by active detection streams can be output in OCSF format to S3 buckets. This format can be configured for ingestion to immediate use in major SIEM providers.
Leveraging active detection streams with Entity Resolution in DataBee enables organizations to identify threats with vendor-agnostic detections with all the necessary business context as the data streams toward its destination. DataBee used in conjunction with the SIEM allows security teams visibility out of the box into potential risks facing their organization without the noise.
Read More
DataBee and Databricks: Business-ready datasets for security, risk, and compliance
In today's fast-paced and data-driven world, businesses are constantly seeking ways to gain a competitive edge. One of the most valuable assets these businesses have is their data. By analyzing and deriving insights from their data, organizations can make informed decisions, manage organizational compliance, optimize resource allocation, and improve operational efficiency.
Better together: DataBee and Databricks
As part of DataBee® v2.0, we’re excited to announce a strategic partnership with Databricks that gives customers the flexibility to integrate with their data lake of choice.
DataBee is a security, risk, and compliance data fabric platform that transforms raw data into analysis-ready datasets, streamlining data analysis workflows, ensuring data quality and integrity, and fast-tracking organizations’ data lake development. In the medallion architecture, businesses and agencies organize their data in an incremental and progressive flow that allows them to achieve multiple advanced outcomes with their data. From the bronze layer, where raw data lands as is, to the silver layer, where data is minimally cleansed for some analytics, to the gold layer, where advanced analytics and models can be run on data for outcomes across the organization, let DataBee and Databricks get your data to gold.
In the past, creating gold-level datasets was a challenging and time-consuming process. Extracting valuable insights from raw data required extensive manual effort and expertise in data aggregation, transformation, and validation. Organizations had to invest significant resources in developing custom data processing pipelines and dealing with the complexities of handling large volumes of data. Lastly, legacy systems and traditional data processing tools struggled to keep up with the demands of big data analytics, resulting in slow and inefficient data preparation workflows. This hindered organizations' ability to derive timely insights from their data and make informed decisions.
DataBee's integration with Databricks empowers customers to take their gold-level datasets up a notch by leveraging advanced data transformation capabilities and sophisticated machine learning algorithms within Databricks. Regardless of whether the data is structured, semistructured, or unstructured, Databricks' unique lakehouse architecture provides organizations with a robust and scalable infrastructure to store and manage vast amounts of data and insights in SQL and non-SQL formats. The lakehouse architecture from Databricks allows businesses to leverage the flexibility of a data lake and the analysis efficiency of a data warehouse in a unified platform.
The integration between DataBee and Databricks involves two key components: the Databricks Unity Catalog and the Auto Loader job.
The Databricks Unity Catalog is a unified governance solution for data and AI assets within Databricks that serves as a centralized location for managing data and its access.
The Auto Loader automates the process of loading data from Unity Catalog-governed sources to the Delta Lake tables within Databricks. The Auto Loader job monitors the data source for new or updated data and copies it to the appropriate Delta Lake tables. This ensures that the data is always up to date and readily available for analysis within Databricks. When integrating DataBee with Databricks, the data is loaded from the Databricks Unity Catalog data source using the Auto Loader, ensuring that it is easily accessible and can be leveraged for analysis.
This seamless integration, combined with DataBee's support for major cloud platforms like AWS, Google Cloud, and Microsoft Azure, enables organizations to easily deploy and operate Databricks and DataBee in their preferred cloud environment, ensuring efficient data processing and analysis workflows.
Connecting security, risk, and compliance insights faster with DataBee
It’s time to start leveraging your security, risk, and compliance data with DataBee and Databricks.
DataBee joins large security and IT datasets and feeds close to the source, correlating with organizational data such as asset and user details and internal policies before normalizing it to the Open Cybersecurity Schema Framework (OCSF). The resulting integrated, time-series dataset is sent to the Databricks Data Intelligence Platform where it can be retained and accessible for an extended period. Empower your organization with DataBee and Databricks and stay ahead of the curve in the era of data-driven decision-making.
Read More
Five Benefits of a Data-Centric Continuous Controls Monitoring Solution
For as long as digital information has needed to be secured, security and risk management (SRM) leaders and governance, risk and compliance (GRC) leaders have asked: Are all of my controls working as expected? Are there any gaps in security coverage, and if so, where? Are we at risk of not meeting our compliance requirements? How can I collect and analyze data from across all my controls faster and better?
From “reactive” to “proactive”
Rather than assessing security controls at infrequent points in time, such as while preparing for an audit, a more useful approach is to implement continuous monitoring. However, it takes time to manually collect and report on data from a disparate set of security tools, making “continuous” a very challenging goal. How can SRM and GRC teams evolve from being “reactive” at audit time, to “proactive” all year long? Implement a data-centric continuous controls monitoring (CCM) solution.
According to Gartner®, CCM tools are described as follows:
“CCM tools offer SRM leaders and relevant IT operational teams a range of capabilities that enable the automation of CCM to reduce manual effort. They support activities during the control management life cycle, including collecting data from different sources, testing controls’ effectiveness, reporting the results, alerting stakeholders, and even triggering corrective actions in the event of ineffective controls or anomalies. Furthermore, the automation they support enables SRM leaders and IT operational teams to gain near real-time insights into controls’ effectiveness. This, in turn, improves situational awareness when monitoring security posture and detecting compliance gaps.” Gartner, Inc., Innovation Insight: Cybersecurity Continuous Control Monitoring, Jie Zhang, Pedro Pablo Perea de Duenas, Michael Kranawetter, 17 May 2023
The use of a CCM solution offers significant advantages over point-in-time reviews of multiple data sources and reports. This blog identifies five of the key benefits of using a CCM solution.
Share the same view of the data with all teams in the three lines of defense.
A shared and consistent view of data facilitates better coordination between operations teams that are accountable for compliance with organizational security policy, the process owners who manage the tools and data used to measure compliance, and the GRC team that oversees compliance.
A set of CCM dashboards can provide that common view. Without a shared view of compliance status, teams may be looking at different reports, or reports created similarly, but at different points in time, resulting in misunderstandings; in effect, a cybersecurity “Tower of Babel.” Consistent reporting based on a mutually recognized source of truth for compliance data is an essential first step.
Furthermore, without a consistent view of compliance data, it will be challenging to have a productive conversation about the quality of the data and its validity. If operations teams are pulling their own reports, or even if they are consuming reports provided by the process owners or GRC team, inconsistencies in data are likely to be attributed to differences in report formats, or differences in the dates when the reports were run. If all the teams are looking at the same set of CCM dashboards displaying the same data, it is easier to resolve noncompliance issues that may be assigned to the wrong team, or to find other errors, such as missing or incorrect data, that need to be fixed.
Bring clarity to roles and responsibilities.
Job descriptions may include tasks such as, “Ensure compliance with organizational cybersecurity policy.” But ultimately, what does that mean, especially to a business manager for whom cybersecurity is not their primary responsibility? In contrast, a set of CCM dashboards that an operations level manager can access to see what specifically is compliant or noncompliant for their department provides an easily understood view of that manager’s responsibilities. Managers do not need to spend unproductive time trying to guess what their role is, or trying to find the team that can provide them with information about what exactly is noncompliant for the people and assets in their purview.
Compliance documents and frameworks typically include requirements for documenting “roles and responsibilities,” for example, the n.1.2 controls (e.g., 1.1.2, 2.1.2, etc.) and 12.1.3 in PCI-DSS v4.0. Similarly, the “Policy and Procedures” controls, such as AC-01, AT-01, etc. in NIST SP 800-53 state that the policy “Addresses… roles, [and] responsibilities.”
Ultimately, roles and responsibilities for operations managers and teams can be presented to them in an understandable format by displaying compliant and noncompliant issues for the people and assets that they manage. This is not to say that cybersecurity related roles and responsibilities should not be listed in job descriptions. However, a display of what is or is not compliant for their department will complement their job description by making the manager’s responsibilities less abstract and more specific.
Making compliance and security a shared responsibility
Cybersecurity is Everyone’s Job according to the National Initiative for Cybersecurity Education (NICE), a subgroup on Workforce Management at the National Institute of Standards and Technology (NIST). At the operations level, a manager’s primary responsibility for the business may be to produce the product that the business sells, to sell the product, or something related to these objectives. But the work of the business needs to be done with cybersecurity in mind. Business operations managers and the staff that report to them have a responsibility to protect the organization’s intellectual property, and to protect confidential data about the organization’s customers. So, even if cybersecurity is not someone’s primary job responsibility, cybersecurity is in fact everyone’s job.
At times, business managers may take a stance that “cybersecurity is not my job,” and that it is the job of the CISO and their team to “make us secure.” Or business managers may accept that they do have cybersecurity responsibilities, but then struggle to find a team or a data source that can provide them with the specifics of what their responsibilities are.
A CCM solution can give business managers a clear understanding of what their cybersecurity “job” is without requiring them to track down the information about the security measures they should be taking, as the data alerts them to security gaps they need to address.
Enhance cybersecurity by ensuring compliance with regulations and internal policies
Compliance may not equal security, but the controls mandated by compliance documents are typically foundational requirements that, if ignored, are likely to leave the organization both noncompliant and insecure. An organization that has good coverage for basic cybersecurity hygiene is likely to be in a much better position to achieve compliance with any regulatory mandates to which they are subject. Or, conversely, if the organization has gaps in their existing cyber hygiene, working to achieve compliance with their regulatory requirements, or an industry recognized set of security controls, will provide a foundation on which the organization can build a more sophisticated, risk-based cybersecurity program.
The basics are the basics for a reason. Using a CCM tool to achieve consistent coverage for the basics when it comes to both compliance and cybersecurity provides a more substantial foundation for the cybersecurity program.
Creating a progressive and positive GRC feedback loop using CCM
A CCM solution does not take the place of or remove the need for a GRC team and a GRC program. But it is a tool that, if incorporated into a GRC program, can help by saving time formerly used to manually create reports, and by facilitating coordination and cooperation by providing teams a consistent view of their compliance “source of truth.” Implementing a CCM solution may uncover gaps in data (missing or erroneous data), or gaps in communication between teams, such as the business teams that are accountable for compliance, and the process owners who are managing the tools and data used to track compliance. Uncovering any such gaps provides the opportunity to resolve them and to make improvements to the program. As gaps in data, policy or processes are uncovered and resolved, the organization is positioned to make continuous improvement in its compliance posture.
If there are aspects of the organization’s current GRC program that have not achieved their intended level of maturity, a CCM solution like DataBee can help by providing a consistent view of compliance data that all teams can reference. CCM can be the focus that teams use to facilitate discussions about the current state, and how to move forward to a more compliant state. Over time, the organization can draw on additional sources of compliance data and display it through new dashboards to continue to build on their compliance and cybersecurity maturity.
Get started with DataBee CCM
For more insights into how a CCM solution can ease the burden of GRC teams while improving an organization’s security, risk and compliance posture, read the recent interview of Rob Rose, Sr. Manager on the Cybersecurity and Privacy Compliance team here at Comcast. Rob and the Comcast GRC team use the internally developed data fabric platform that DataBee is based on, and they’ve achieved some remarkable results.
The DataBee CCM offering delivers the five key benefits described here and more. If your organization would like to evolve its SRM and GRC programs from being “reactive” to “proactive” with continuous, year-round controls monitoring, be in touch and let us show you how DataBee can make a difference.
Download the CCM Solution Brief to learn more, or request a personalized demo.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Read More
DataBee is a Leader in Governance, Risk, and Compliance in Snowflake's The Next Generation of Cybersecurity Applications
Today, Snowflake recognized DataBee, part of Comcast Technology Solutions, as a Leader in the Governance, Risk & Compliance (GRC) Category in Snowflake’s The Next Generation of Cybersecurity Applications. As the Director of Strategic Sales and Go-to-Market Strategy, I am proud to help joint customers achieve fast, accurate, and data-driven compliance answers and resolutions that measure risks and controls effectiveness.
The inaugural, data-backed report identified five technology categories that security teams may consider when building their cybersecurity strategy. In addition to the GRC category, the other categories included: Security Information and Event Management (SIEM), Cloud Security, Data Enrichment and Threat Intelligence, and Emerging Segments.
DataBee puts your data at the center for dynamic, detail-rich compliance metrics and reports. The cloud-native security, risk and compliance data fabric platform weaves together security data sources with asset owner details and organizational hierarchy information, breaking down data silos and adding valuable context to cyber-risk reports and metrics.
By being a connected application Powered by Snowflake partner, DataBee makes continuous controls monitoring (CCM) a reality by enabling customers to securely and quickly access large, historical datasets in Snowflake while driving down costs and maintaining high performance. DataBee’s robust analytics enables teams across the organization to leverage the same dataset for high fidelity analysis, decisioning, response and assurance outcomes without worrying about retention limits. From executives to governance, risk and compliance (GRC) analysts, DataBee on Snowflake delivers a dynamic and reliable single source of truth.
Thank you to Snowflake for partnering with DataBee! As Nicole Bucala mentioned in our press release, DataBee makes it faster, easier and more cost effective for GRC teams to combine and share the security and business data and insights that their constituents need to stay compliant and mitigate risk. Our strategic partnership with Snowflake is an essential part of our solution, providing a powerful, flexible, and fully managed cloud data platform for our customers’ data regardless of the source.
Read More
DataBee appoints Ivan Foreman for EMEA expansion leadership
You may be surprised to know this, but the security data issues that challenge US-based security teams are issues felt ’round the world. Of course, I’m kidding: These challenges have been worked on, talked about, and written about for years and continue to eat up news cycles because it’s still too hard to correlate and analyze all of the security data generated by the tools and technologies that live in most enterprise security stacks.
DataBee® from Comcast Technology Solutions (CTS) has been created to help bring order, ease, and clarity to security data chaos in the enterprise. Having focused this first year of business on our US home turf, we’re very happy now to expand into EMEA with a cybersecurity veteran at the helm — Ivan Foreman. Based out of London with work and life experience in Israel and South Africa, Ivan brings to his new role as Executive Director and Head of EMEA Sales, DataBee a deep understanding of the unique needs of customers and partners from across EMEA, and a true passion for ensuring the security of both people and organizations.
Let’s learn a little bit more about Ivan and his background…
[LC]: Ivan, you’ve joined CTS DataBee to lead Sales and Business Operations in EMEA. Talk to us about your charter there and what you hope to accomplish in your first several months.
[IF]: I’m very excited to join CTS DataBee and the opportunity to build the business in EMEA. My first month was spent learning as much as possible about Comcast, the value a security data fabric has brought to the organization, and the commercialization of this innovation through DataBee. I was fortunate enough to travel to HQ in Philadelphia and meet the leadership team who have been building DataBee for the past year. My next couple of months will be spent building the DataBee brand in the EMEA region and helping organizations there get more from their security data. So far, the response has been fantastic, and almost everyone I’ve spoken to about DataBee is keen to learn more and seems to have an interest in putting me in touch with their colleagues.
[LC]: How did you learn about the opportunity with CTS DataBee, and what ultimately attracted you to this position?
[IF]: I worked with Nicole Bucala (VP & GM of DataBee) at a previous company, and during the summer, I saw her post on LinkedIn about DataBee and was intrigued. As I was in the process of looking for a new role, I reached out to learn more.
There were ultimately three things that attracted me to the role:
The company: DataBee is part of Comcast Technology Solutions, whose parent company, Comcast, is one of the largest companies in the US. Having worked for small cybersecurity startups in the past, I understand the challenges of building a brand from scratch; here, I have the support of the Comcast brand and an amazing internal use case that validates how well equipped we are to solve the enterprise security data problem.
The product: Listening to the story of how Noopur Davis, Comcast’s CISO, built a security data fabric internally to help her answer the very difficult questions asked by Comcast’s board and regulators, whilst at the same time saving money and improving the company’s security posture, was very compelling.
The people: It has always been very important for me to work with people I like and respect. Nicole has done an amazing job of hiring some of the best and brightest talent in the industry. Throughout my interviews, I was impressed by the quality of the people I met and was excited by the prospect of so many successful people all working together.
[LC]: What is it about DataBee the product that excites you and that you think will resonate with enterprises in EMEA?
[IF]: What is resonating is our Continuous Controls Monitoring (CCM) offering — the ability to see real-time dashboards relating to the company’s security, risk, and compliance posture. Every single company has different data sources and security metrics that they need to monitor, and our CCM capability provides both standard and customizable dashboards that make it possible for an organization to track their specific security controls and compliance requirements.
In EMEA in particular, keeping up with regulations is such a challenge, and every industry and country seems to have different cybersecurity-related regulations they need to adhere to. In the UK, the ‘network and information systems,’ or NIS, is the main framework to look out for. Telecommunications companies, or Telcos, are grappling with the UK’s Telecommunications (Security) Act, whose requirements need to be in place for Tier 1 Telcos by March 2024. PCI DSS 4.0, which applies globally to any organization that processes payment cards, is another one to review. DataBee can ease the challenge of keeping up with these and other regulations by giving CISOs and GRC teams an easier way to continuously monitor their controls and keep ahead of their annual audits.
[LC]: Tell us a bit about your background in cybersecurity — you’ve been in this industry for most, if not all, of your career, correct? Share with us some of your experiences and what’s kept you hooked on the security space.
[IF]: I grew up in South Africa and graduated from university in Durban, but my professional cybersecurity experience began when I went to live in Israel. There, I worked for a company called Aladdin, which, at that time, was the market leader in combatting software piracy.
Eventually I moved to the UK, and other roles there included:
Business development manager for Softwrap, which had a very innovative secure envelope solution for helping to securely distribute software online (long before there were App Stores).
Progressive channel management and leadership roles at ScanSafe, pioneer in SaaS web security. I was one of the first employees and helped the company grow and expand until it was sold to Cisco in 2009 for $183 million. I stayed with Cisco for another four years and was promoted to lead the company’s security business in the UK, selling its full security portfolio (firewalls, IDS, email security, web security, VPN, identity services, etc.).
VP of sales EMEA and VP of sales Asia Pacific for Wandera, where I was reunited with the original founders of ScanSafe, who were focused this time on enterprise mobility security and data management.
VP of sales EMEA for Illusive Networks, an Israeli deception security company. I started as their first EMEA hire, helping them grow and expand the business there.
Senior director of global channel sales for Nozomi Networks (an OT security company), where I led their global channel business and was purely focused on developing relationships with hundreds of partners around the world.
Whilst working in the security industry, it is not just about selling products; you actually feel as if you are positively contributing to society by helping to keep companies and people safe from bad actors. I guess that’s what has really kept me interested in this space and why I believe I’ll probably stay in cybersecurity until the end of my career.
[LC]: What are some of the key data and/or cybersecurity challenges that are unique to enterprises in EMEA?
[IF]: One of the most interesting challenges I have seen in the UK specifically is the very short tenure of CISOs. I recently read a Forrester report, which highlighted that the average tenure for a UK CISO (working for the FTSE 100 companies) was 2.8 years. This means that they are not likely able to invest in long-term projects, but rather focus on short-term wins before they move on to a new challenge. It’s therefore critical to understand where the CISO is in their tenure as a key success factor, which may make or break a potential sale.
[LC]: Looking ahead into 2024, what are some of your security and/or security business predictions for the year ahead in EMEA? Any threats/challenges/opportunities you see on the near-term horizon?
[IF]: No doubt AI and ML is going to play a huge role in 2024 and beyond. Ensuring these technologies are used correctly and morally is going to be a huge challenge as bad actors and malicious hackers can also use them to attack enterprises and states.
The other challenge I see is finding skilled cybersecurity professionals who are available to help implement policies and keep companies safe. As reported by ISC2 in their 2023 Cybersecurity Workforce Study, there are roughly four million empty cybersecurity positions in companies and organizations globally. The people who work in the industry need to find a way to ensure children at school learn about the importance of these jobs and are encouraged to consider careers in this field.
[LC]: Will you be working to build channel partnerships in EMEA? If so, what types of partners are you hoping to create relationships with?
[IF]: Yes, DataBee is a channel-friendly organization, and we love working with our partners to help our customers achieve fast time-to-value. The only way to really grow and scale our business quickly throughout EMEA is to embrace the channel. I believe, however, that it is critical to focus on a few key strategic partners; it’s not quantity, it’s quality, and ensuring that there’s a good overlap of our target customers and the customers served by our partners.
I’ve already started discussions with a few strategic partners who have expertise in this space and see the value of what DataBee is bringing to market. The most critical element from my perspective is finding partners who can help deliver the professional services that will ensure a successful DataBee implementation and faster time-to-value.
[LC]: Who is resonating with the DataBee story and value proposition right now?
[IF]: Initially, anyone involved in security, risk, and compliance management. Our CCM solution is ideal for CISOs and GRC and compliance executives because of the real-time reporting it can provide, and it’s great for GRC analysts and audit teams who need that ‘single source of truth’ — connected and enriched data.
We have an aggressive product roadmap for the DataBee data fabric platform that we hope will make it very relevant and important to other cybersecurity, privacy, data management, and business intelligence roles early in 2024 and beyond. Within Comcast, the data fabric platform that DataBee is based on is being used by everyone from the Comcast CISO and CTO to GRC analysts, data scientists, data engineers, threat hunters, security analysts, and more.
[LC]: Where are you based, and what’s the easiest way for people to reach you?
[IF]: I’m based in London. It is best to reach me via email ivan_foreman@comcast.com or via LinkedIn.
Additional information
We believe that DataBee is truly unique, providing a comprehensive approach to bringing together security and enterprise IT data in a way that improves an organization’s security, risk, and compliance posture.
As Comcast CISO Noopur Davis has said, “Data is the currency of the 21st century — it helps you examine the past, react to the present, and predict the future.” It is a universal currency that all organizations should be able to use, whether for deep security insights and improved protection, or to propel the business forward with a better understanding of customer needs.
Learn how your organization can take full advantage of its security data by requesting a personalized demo of DataBee or reaching out to Ivan. He can’t wait to talk to you.
Read More
Putting your business data to work: threat hunting edition
Detectives, bounty hunters, investigative reporters, threat hunters. They all share something in common: When they’re hot on a scent, they’re going to follow it. In the world of cybersecurity, threat hunters can use artifacts left behind by a bad actor or even a general hunch to start an investigation. Threat hunting, as a practice, is a proactive approach to finding and isolating cyberthreats that evade conventional threat detection methods.
Today’s threat hunters are technologists. They are using an arsenal of tools and triaging alerts to pinpoint nefarious behaviors. However, technology can also be a barrier. Pivoting between tools, deciphering noisy datasets and duplicative fields, assessing true positives from alerts, and waiting to access cold data repositories can slow down hunts during critical events.
Threat hunters that I have worked with here at Comcast and at other organizations have shared that data, when enriched and connected, can be a crucial advantage. Data helps paint a picture about users, devices, and systems, and the expansive lens enables threat hunters to have a more accurate investigation and response plan. However, data is expensive to store long term, and large, disparate datasets can be overwhelming to sift through to find threat signals.
Threat hunting in the AI age
The broad adoption of artificial intelligence (AI) and machine learning (ML) opens the door to data-centric threat hunting, where a new generation of hunters can execute more comprehensive and investigative hunts based on the continuous, automated review of massive data. Threat hunters can collaborate with data engineers and analysts to build AI/ML models that can quickly and intelligently inspect millions of files and datasets with the accuracy, scale, and pace that manual efforts cannot match.
When companies are generating terabytes and petabytes of data every day, using AI/ML can help security teams:
Collect data from multiple security tools and aggregate it with non-security insights.
Scrutinize network traffic data and logs for indicators of compromise.
Detect unknown threats or stealthy attacks, including the exploitation of zero-day vulnerabilities and lateral movement activities.
Alert on multiple failed log-in attempts or brute force activity and identify unauthorized access.
At Comcast, having clean, integrated data allows AI/ML to improve operational efficiency and fidelity. For the cybersecurity team, operationalizing AI/ML to scrub large datasets led to a 200% reduction in false positives; for the IT team, AI/ML highlighted single-use and point solutions that could be reduced or eliminated, leading to a $10 million cost avoidance.
Creating more effective threat hunting programs with your data
Threat hunters want access to data and logs — the more the merrier. This is because clever malware developers are deleting or modifying artifacts like clearing Windows Events Log or deleting files to evade detection, but fortunately for us, threat hunters know packets don’t lie.
Analyzing all that data can quickly become a challenging task. DataBee® takes on the security data problem early in the data pipeline to give data engineers and security analysts a single source of truth with cleaner, enriched time-series datasets that can accelerate AI operations. This enables them to utilize their data to build AI/ML models that can not only automate and augment the review of data but also achieve:
Speed and scale: Security data from different tools that have duplicative information and no common schemas can now be analyzed quickly and at scale. DataBee parses and deduplicates multiple datasets before analysis. This gives data engineers clean data to build effective AI/ML models directly sourced from the business, increasing visibility and early detection across the threat landscape.
Business context: Threat hunting needs more than just security data. Security events without business context require hours of event triaging and prioritization. DataBee weaves security data with business context, including org chart data and asset owner details, so data engineers and threat hunters can create more accurate models and queries. For Comcast, employing this model has led to more informed decision-making and fewer false positives.
Data and cost optimization: The time between when a security event is detected and when a bad actor gains access to the environment may be days, months, or years. This makes data retention important — but expensive. Traditional analytical methods and SIEMs put tremendous pressure on CIO and CISO budgets. DataBee optimizes data, retaining its quality and integrity, so it can be stored long term and cost-effectively in a data lake. Data is highly accessible, allowing threat hunters to conduct multiple compute-intensive queries on demand that can better protect their organization.
Bad actors are evolving. They’re using advanced methods and AI/ML to improve their success rates. But cybersecurity teams are smart. Advanced threat hunters are expanding outside of generic out-of-the-box detections and using AI/ML to improve their success rate and operational efficiency. Plus, using AI/ML effectively also saves money by enabling threat hunting teams to scale, doing more hunts within the same set of resources in the same time frame.
Take your interest into practice and download the data-centric threat hunting guide that was created through interviews and insights shared by Comcast’s cybersecurity team.
Read More
Trick or threat: 5 tips to discovering — and thwarting — lateral movement with data
We know ghouls and ghosts aren’t the only things keeping you up this spooky season. Bad actors are getting smarter with their attacks, using tactics and techniques that baffle even the most seasoned cyber professionals.
Discovering — and thwarting — lateral movement can be particularly difficult because of disjointed but established software security tools that cannot always identify unwarranted access or privilege escalation. Many behaviors, like pivoting between computer systems, devices and applications, can appear as if they’re from a legitimate user, allowing bad actors to go undetected in environments.
Threat hunters are critical to exposing lateral movement activities. But much like hunting monsters in the dark, threat hunting using manual detection processes against large datasets is a scary task — one that is time-consuming and tedious. With the help of advanced tools like AI and machine learning (ML), hunters can analyze massive amounts of data quickly to pick up the faintest signals of nefarious activities. Data breach lifecycles have proven to be up to 108 days shorter compared to organizations that do not use some form of AI/ML in their practice. 1
Best practices for using AI/ML to detect lateral movement
At the end of the day, your threat hunters can still have the advantage. No one knows your environment better than you do. By building AI/ML models fueled by data from your environment, your threat hunters can detect — and ultimately thwart — lateral movement before the bad actors escalate further in the cyber kill chain.
Models, processes, and procedures are often bespoke, but a few time-tested best practices can accelerate threat detections and response. For lateral movement, this might look like using data about your users, their assets, and their business tool access to identify activities that indicate data exfiltration and espionage. Let's take a look at these best practices in the context of a lateral movement use case:
Store as much relevant data as possible for as long as possible. Investigating and finding evidence of lateral movement may require analyzing months or years of data because adversaries can be present but undetected for days, months — or even years. Raw and processed data, which has been deduplicated and contextualized, should be stored in an accessible, cost-effective data storage repository for threat hunters to run their queries.
Create baselines based on business facts and historical actions. Data scientists who work with business data should collaborate with threat hunters to develop and define baselines based on the hypothesis for a given use case. Typically, this means describing the environment or situation ‘right now’ and searching for deviations to indicate malicious activity. Creating proper baselines requires expertise to know what attributes and data points to use and how to use them. Regarding lateral movement, baselines should be based on factual and historical data reflecting business goals, past scenarios, hypotheses or triggers, and infrastructure conditions. Baselines created without context are meaningless.
Use the data with the best tools. Even with AI/ML, human interaction and judgment are still required. But data analysis doesn’t happen by itself. Data is often compiled and aggregated in a data lake, only to be ignored or underutilized. SIEMs can provide short-term storage and analysis of security data, but when you are threat hunting, you need more than just noisy security data. To get the best of both worlds, data transformation needs to be performed early in the pipeline so threat hunters have clean, enriched data they can trust and tools they are familiar with.
Produce accurate, data-driven reports. Producing meaningful KPIs and reports helps executive sponsors find value in threat hunting activities and encourage ongoing program investment. KPIs also help validate the efficacy of hunts even if nothing is found. For example, investigating a suspected lateral movement breach may have found no bad actor activity. The proper reporting underscores and validates the hunt was done soundly and backed up the baselines and KPIs.
Allocate a budget. Threat hunting can be an expensive and active cyber defense activity. When a trail is hot, hunters want to follow it. It’s important to allocate a budget for data storage, internal and outsourced resources, and multiple, compute-intensive queries. Creating a budget ensures that security teams have the resources they need when they need it most. “After the fact” prioritization once a breach or lateral movement has been detected will not only leave the organization at risk but will likely be a slow process or provide inaccurate findings. So, planning, as with any cyber security initiative, pays off.
Read More
Expert Insights: GRC and the Role of Data
Since I joined Comcast Technology Solutions (CTS) and the DataBee® team back in late March, I’ve been awed and challenged by how many different roles the DataBee data fabric platform is relevant to. Is it for security analysts? Threat hunters? Data scientists? GRC professionals? Yes, yes, yes and yes… essentially, DataBee is relevant to anyone in an organization who needs data to understand, protect and evolve the business.
Let’s get to know some of the amazing people who rely on data every day to do their jobs and help their organization be successful!
Governance, Risk & Compliance (GRC)
The function of GRC is critical – when it is correctly implemented, it is a business enabler and revenue-enhancer; when it is poorly managed or even non-existent, it can be a business inhibitor, leaving an organization vulnerable to compliance violations and increased cyberthreats.
GRC programs are set of policies and technologies that align IT, privacy, and cybersecurity strategies to their business objectives.
I recently had the good fortune of meeting Rob Rose, a Manager on the Cybersecurity and Privacy Compliance team here at Comcast, and I enjoyed my conversation with him so much that I immediately hit him up to be one of our spotlight experts.
Working to achieve a more secure privacy and cybersecurity risk posture
[LC] Rob, tell us about what you do as Manager, Cybersecurity and Privacy Compliance here at Comcast.
[RR] At the highest level, my role at Comcast is to help the company achieve a more secure privacy and cybersecurity risk posture. This takes shape as leading an initiative called ‘Controls Compliance Framework’ (CCF) which is broken down into two sister programs: ‘Security Controls Framework’ (SCF) and ‘Privacy Controls Framework’ (PCF). The team I lead creates a continuous controls monitoring (CCM) product that business units across Comcast can use to monitor their adherence to privacy and cybersecurity-related controls.
Creating, and maintaining, this product includes collaboration with multiple different teams in the company, starting with the process owners of each control activity that helps to mitigate risk (e.g., the Corporate User Access Review team):
Collaboration with process owners: My team first works with the process owners to understand how the process is designed and should operate, and what actions the various Business Units across Comcast are expected to complete.
Document requirements: We then learn from process owners how and where they store the data to support their control (e.g., Oracle Databases, ServiceNow, etc.) and from there we document requirements to bring to our development team.
Report on privacy and security posture: Once our development team has ingested all the disparate data from multiple process owners and developed our product based on the requirements we documented, we bring this product to Business Units, with the goal of providing them a single pane of glass view into their overall privacy and security posture.
GRC Challenges
[LC] What would you say are the 3 biggest challenges faced by GRC and compliance experts?
[RR] There are a few keys challenges that we run into as a GRC function, and fortunately, compliance data leveraged in the CCF program can address them.
Clean Data – the first issue is the cleanliness and usability of the data. As a GRC function, we rely on process owners throughout the company to provide us with data. Frequently, however, we see issues with both data cleanliness and ownership in the data that is provided to us. When we bring this data to Business Units, who work day in and day out with the assets they own, they often provide the feedback that there is something amiss in the data. This can be turned into a positive as we can bring this feedback back to the process owners, who can then clean up the data on their end, making the data quality better for the entire company.
Awareness – Often times when we alert Business Units of compliance actions that need their attention, we discover that they were unaware of these requirements. This awareness creates some ‘knowledge transfers’ that we must do to inform Business Units of the need for the actions, and the importance of the actions. This helps to increase the overall cybersecurity and privacy awareness of the Company.
Prioritization – Akin to point B, since Business Units are often not aware of the privacy and security related actions they need to take, they have not planned the resource capacity into their roadmap to complete those activities. Helping to prioritize which actions are ‘must do’ right now, as opposed to which actions can wait, has been something we’ve been working on with our program. To help with this, we’ve been driving towards risk-based compliance, noting that while all systems and assets need to meet cybersecurity requirements, certain systems and assets are a higher priority to meet these requirements based on the types of data that the system utilizes.
The rewards of the job
[LC] What are some of the most rewarding aspects of your job?
[RR] We’ve had some real success stories over the past few quarters where Business Units have gone from a non-compliant state to a highly compliant state. This has come from a combination of presenting Business Units with insights through data so they are aware of where they have gaps, and from helping them understand what actions they need to take. Seeing a Business Unit make this transition from non-compliant to compliant is incredibly rewarding, as we know that we’ve helped make the company more secure.
Collaboration
[LC] What other teams or roles do you interact with the most as you go about your job day-to-day?
[RR] As a GRC professional, we’re in a unique position where we interact with individuals at all levels of the business. This includes the first line of defense (Business Units), the second line of defense (process owners, Legal, other teams within Comcast Cybersecurity), and the third line of defense (Comcast Global Audit). We have the benefit of working with both very technical teams of developers and system architects, as well as with very process driven teams who define what requirements the company should be meeting. In addition, in our position, our team works with top level executives from a reporting standpoint, as well as the front line workers who are actually implementing changes to systems and applications to make the company more secure!
The role of data in GRC
[LC] How do you use data in your job, and what type of data do you rely on?
[RR] As a GRC professional, the ability to have clean data provided to us is the keystone to our success. The Controls Compliance Framework product my team and I work on is dependent on data coming in from disparate data sources so we can cleanse and aggregate it to provide meaningful insights to Business Units.
At the highest level, you can break down the types of data that we need into a few different categories:
Application data: What applications exist in the environment, who owns those applications, and what level of risk does the application present -- e.g., does the application use customer data, proprietary Comcast data, etc? Does the application go through User Access Reviews on a set frequency, and has it been assessed to confirm it was developed in a secure way?
Infrastructure: What underlying assets or infrastructure support those applications? What servers are used to run the application? Are they in the cloud or on-prem? What operating system is the server running? Is the server hardened, scanned for vulnerabilities, and does the server have the necessary endpoint agents on it (e.g., EDR)?
Vendor information: What vendors do we engage with as an aspect of our business, what data do we share with the vendor, and what assessments have been completed to confirm the vendor will handle that data securely?
For each of these types of data, we also need data to support the completion of the processes around that data. Have all assessments been done on the application, asset, vendor, and do they meet all the required controls?
As you can imagine, these data sources are all in different locations. One of the key aspects of the program we run is to pull all of this data into one location and provide it in a single pane of glass view for business units so they can have one easy location to go to to understand their risk posture.
The GRC questions that data helps answer
[LC] Can you give us an example of the kinds of questions you’re looking to answer [or problems you’re looking to solve] with data?
[RR] The biggest question I’m looking to answer as a risk professional is what the overall risk posture of the company is. Do we have a lot of unmitigated risk that could expose us to issues, or are we generally covered? This question is most easily answered with the data that was described above (the role of data in GRC).
GRC vs. Compliance
[LC] How would you describe the difference between GRC and compliance? Or are they one-and-the-same?
[RR] The ‘C’ in ‘GRC’ stands for Compliance. Compliance is a huge piece of what I do as a GRC professional. Making sure that the company is complying with the necessary standards and policies (compliance) and lessening the exposure we have as a company and the impact of that exposure (risk) is pretty much what my entire day is filled with! We then present these insights to executives so they can be aware and take action to adhere to standards and policies as needed (governance).
A random data point about our GRC expert
[LC] Rob, if you could go back in time and meet any historical figure, who would it be and why?
[RR] Wow this is a tough one that I think could change day by day. I recently took a trip to Rome and we visited the Sistine Chapel while we were there. I was in such awe of the work that Michelangelo did. I think I’d like to meet someone like Michelangelo as the arts are an area that is so foreign to me and how I think. I’d love to pick his brain to find out if he knew what he was creating would be a work that was revered and visited by millions of people for centuries to come, to understand his artistic thought process, and to learn more about his life.
Parting words of wisdom
[LC] Any other words of wisdom to share?
[RR] To my other GRC colleagues out there, I am sure you run into the same struggles of trying to get Business Units to comply with internal company policies and standards. The implementation of data-driven tools have made it significantly easier to assist BUs in becoming compliant. The feedback that we’ve gotten is that utilizing data, and putting it in a simple and straightforward tool, has helped to ‘make compliance easy’. Let’s all keep striving to find ways to make it as easy on the people whose main job is not compliance to fit compliance into their work!
DataBee for GRC
As Rob mentions, the Comcast GRC team is charged with pulling all kinds of data – application, infrastructure and vendor data -- into one location, essentially providing a “single pane of glass view” to Business Units, making it easy for these Business Units to see and understand their risk posture. The GRC team uses the internally developed data fabric platform that DataBee is based on to do this, and its use has helped to drive those improved compliance rates that Rob mentioned, as well as other improvements in Comcast’s overall compliance and security posture. (An aside – I think that’s pretty cool.)
DataBee v1.5 was recently launched, and with it a continuous controls monitoring (CCM) capability that provides deep insights into the performance of controls across the organization, identifying control gaps and offering actionable remediation guidance. Check out the CCM Solution Brief to learn more.
Thanks to Rob for a great interview!
Read More
Making cybersecurity continuous controls monitoring (CCM) a reality with DataBee 1.5
Exciting innovations are a-buzz! Today, DataBee® v1.5 is now generally available and features a host of new continuous controls monitoring (CCM) capabilities on top of the DataBee security data fabric that puts your data at the center for dynamic, detail-rich compliance metrics and reports.
As more businesses become digital-first, business leaders are leaning in and placing more importance on cyber-risk programs. In addition to pressure from regulators, internal auditors and KPIs are keeping security and risk management teams up at night. The lack of reporting capabilities that can show real-time compliance trends over time, on a consistent data set, have analysts scrambling to collect data and test controls that will only be evaluated in the latest audit, instead of focusing on sustainable programs and insights.
Putting continuous in continuous controls monitoring
DataBee 1.5 introduces a data-centric approach to continuous controls monitoring (CCM) for the security, risk, and compliance data fabric platform. By focusing upstream on the data pipeline, DataBee weaves together security data sources with asset owner details and organizational hierarchy information, breaking down data siloes and adding valuable context to cyber-risk reports and metrics.
From executives to governance, risk, and compliance (GRC) analysts, DataBee delivers a dynamic and reliable single source of truth by connecting and enriching data insights to measure CCM outcomes. Comcast has experienced first-hand the security data fabric journey, and DataBee 1.5 brings to market the innovations from our internal tool – including feeds, dashboards, and visualizations – to your organization so you can scale your continuous controls services program.
In this example, Will Hollis, an Executive VP of ACME Studios, views the security posture of his organization using DataBee’s Executive KPI Dashboard.
Verifiable data trust
The robust platform features 14 pre-built CCM dashboards, aligned to the NIST Cybersecurity Framework, and the ability to self-defined KPI values – or use DataBee recommended values. Risk scores are populated using underlying data sources collected and enriched by DataBee. Users can see in detail where and how the data is used when hovering over the score. The completeness, accuracy, and timeline in the dashboards builds trust in CCM reporting and leads to accountability amongst business leaders. Afterall, data trust gives you wider adoption of your cyber-risk program throughout the business.
DataBee gives you insights into how the scores are provided
Operational efficiency
A benefit of having data at the center of your CCM program is that it streamlines engagement models with control owners. Previously GRC teams had the tedious task of scanning a variety of data sources – nearly all of which they did not have control over – and having fragmented conversations with different stakeholders. With DataBee, instead of hearing from your GRC teams infrequently and during urgent events, there is a continuous feedback loop built on the quality of data and actionable insights. Another benefit is the ability to measure the effectiveness of cyber-risk investments and programs.
Proactive risk management
The ever-evolving threat landscape and regulatory constraints are a nightmare to deal with for any GRC team at any scale. DataBee’s CCM capabilities deliver deeper insights about risks and inefficiencies, providing recommendations for resolution and hierarchy information to proactively reach out to control and asset owners. In the screenshot below, users can drill down to the granular details from their vulnerability management dashboards and find solution recommendations to resolve issues quickly. Teams throughout the business can focus on closing gaps instead of finding them, enabling the business to remain in compliance with internal and external requirements.
Drill into the vulnerability management details to find out how to resolve issues.
Get started with DataBee
Continuous controls monitoring is a game changer for security transformation and outcomes. DataBee, from Comcast Technology Solutions, is thrilled to deliver data-centric CCM capabilities that scales for businesses of all sizes. Watch our DataBee 1.5 announcement to hear from Nicole Bucala, Yasmine Abdillahi, and Erin Hamm about the product journey. Want to get started right away? Email us at CTS-Cyber@comcast.com and check out our AWS Marketplace Listing.
Read More
Comcast (DataBee) at Black Hat? Yes!
The DataBee® team can’t help but have a little fun with the fact that Comcast is not exactly one of the first companies you think of when you think “cybersecurity”. Comcast has attended Black Hat in the past, but this is the first time we are debuting a cybersecurity solution for large enterprises – the DataBee security data fabric platform, which is poised to transform the way enterprises currently collect, correlate and enrich security and compliance for the better.
This was the 26th year of Black Hat USA but despite how many security vendors there are serving the market – a reported 3,500 in the US alone, 300 of whom were on the show floor – “security data chaos” (a term we love to use because it’s such an accurate description) remains a very real and difficult problem. Our discussions with booth visitors validated that it’s still very labor and cost-intensive to bring together the security data teams need to understand the threats that might be imminent or already wreaking havoc. When we would tell the DataBee story, there was a lot of head nodding.
From booth discussions to participation in a major industry announcement and the Dark Reading News Desk, the DataBee team took advantage of being at Black Hat to raise awareness of the security data problem and how we’re uniquely addressing it. A few highlights include:
The Open Cybersecurity Schema Framework (OCSF) announcement
On Tuesday, August 8, DataBee was included in the announcement, OCSF Celebrates First Anniversary with the Launch of a New Open Data Schema:
The Open Cybersecurity Schema Framework (OCSF), an open-source project established to remove security data silos and standardize event formats across vendors and applications, announced today the general availability of its vendor-agnostic security schema. OCSF delivers an open and extensible framework that organizations can integrate into any environment, application or solution to complement existing security standards and processes. Security solutions that utilize the OCSF schema produce data in the same consistent format, so security teams can save time and effort on normalizing the data and get to analyzing it sooner, accelerating time-to-detection.
OCSF is a schema that DataBee has standardized on to make data inherently more usable to a security analyst. It also enables out-of-the-box relationships and correlations within a customer’s preferred visualization tool, such as Power BI or Tableau. (For more on this, check out the DataBee product sheet.)
Matt Tharp, who leads field architecture for DataBee, has contributed to the OCSF framework and was quoted in the announcement alongside leaders from Splunk, AWS and IBM, among others. Coverage of the announcement included this piece in Forbes.
Dark Reading News Desk
At the Dark Reading News Desk , Matt was joined by Noopur Davis, EVP and Chief Information Security & Product Privacy Officer at Comcast, for a great discussion with contributing editor Terry Sweeney on the topic of the big data challenge in security. Noopur and her cybersecurity team developed the security data fabric platform that DataBee is based on, and Matt—as an architect of DataBee—is part of the team bringing the commercial solution to market.
They discussed topics including: the challenge that big data creates for security teams; how Comcast has gone about addressing this issue; what a security data fabric is and how this approach differs from other solutions such as security information and event management (SIEM) systems; where and how a security data fabric and a data lake intersect; and what the customer response to DataBee has been so far.
The video of this discussion is a great way to understand DataBee’s origin story and the very real benefits that Comcast has gotten from building and using a security data fabric platform. Following in the internal solution’s footsteps, DataBee—unlike other security products—is designed to handle environments on the scale of large enterprises like Comcast.
DataBee in a minute and 39 seconds
The concept of a security data fabric platform is new and it’s a little on the complex side. So leading up to the Black Hat show, the DataBee team created an animated “explainer” video that brings to life what DataBee is, how it works and the key benefits it brings to different roles:
GRC teams can validate security controls and address non-compliance
Data teams can accelerate AI initiatives and unlock business insights
Security teams can quickly discover and stop threats
If you were at Black Hat and need a refresher, or if you’re learning about DataBee for the first time, this short video provides a great high-level introduction.
While DataBee has other use cases besides security, this is a market and critical capability in need of a better way to manage all of the data that’s relevant to understanding an organization’s real security, risk and compliance posture.
Will we be back at Black Hat in 2024? You betcha.
In the meantime, learn more or schedule a customized demo of DataBee today.
Additional resources:
Read Noopur’s blog It’s Time to Bring Digital Transformation to Cybersecurity
See how DataBee can be used for continuous controls assurance
Check out the DataBee website
Read More
It’s Time to Bring Digital Transformation to Cybersecurity
Recently, I’ve been thinking a lot about cybersecurity in the age of digital transformation.
As enterprises have implemented digital transformation initiatives, one of the great—albeit challenging—outcomes has been data: tons and tons of data, often referred to as “big data”. Storing, managing and making all of that data accessible to many different users can be expensive and non-trivial, but all that big data is gold. I know first-hand how valuable big data is to understand the health of the business; the insights provided by all this data enables an enterprise to continually adapt as needed to meet customer needs, to remain competitive, and to innovate.
Security has been left behind
Security has largely been left behind when it comes to digital transformation. While our counterparts in other areas of the business are using data lakes and mining rich data sets for actionable intelligence, security leaders and teams are still having to work way too hard to piece together a comprehensive view of threats across the organization. Data is the currency of the 21st century – it helps you examine the past, react to the present, and predict the future. Yet, too many security products are producing too much security data in silos; it’s difficult, at best, to bring all of this data together for a unified view of what’s really happening. Because of the constantly-changing threat landscape—exacerbated by everything from the global pandemic to the Russian/Ukraine war to new technology developments such as generative AI (which can also be used for good)—new security tools and capabilities to address the latest threats just keep getting added to the mix, like band aids on new wounds.
If you do a search for “the average number of security products in the enterprise security stack”, you’ll get answers that range from 45, to 76, to 130 – the number is large and the tools are many. (Tempting as it is, I won’t share how many externally developed security tools we’re using in the Comcast environment.) There are products for data protection, risk and compliance, identity management, application security, security operations, network, endpoint and data center security, cloud security, IoT and more. (While a few years old, the Optiv cybersecurity technology map provides a glimpse at how big and daunting this space is.) A security information and event management (SIEM) solution can help by collecting and analyzing the log and event data generated by many of these security tools. SIEMs are wonderful and provide essential functions, but they are expensive, not ideal for simultaneous, parallel compute, and do not really “set the data free” for long term storage, elastic expansion, and use by multiple personas.
This is the age of digital transformation for cybersecurity
“Digitalisation is not, as is commonly suggested, simply the implementation of more technology systems. A genuine digital transformation project involves fundamentally rethinking business models and processes, rather than tinkering with or enhancing traditional methods.” (ZDNet)
No more security data silos… it’s time for us to apply the tenets of digital transformation to security. We tackled that challenge here at Comcast and the results have been impressive. With a workforce of over 150,000, tens of millions of customers, and critical infrastructure at scale, we have a lot to secure. We also have millions of sensors deployed through our ecosystem, providing potentially rich insights. As digital transformation demands, we took a fresh look at our cybersecurity program and came up with a new approach to consolidating, analyzing and managing our security data that has resulted in millions of dollars in cost savings and, even more importantly, the ability to bring together vast amounts of clean, actionable and easy-to-use security data. And not just security data – we enrich security data with lots of other enterprise data to enable even deeper insights.
Applying the data fabric approach to security
How did we do it? We built on the idea of a data fabric – “an emerging data management design for attaining flexible, reusable and augmented data integration pipelines, services and semantics.” The outcome is a cloud-native security data fabric that has integrated security data from across our security stack and millions of sensors, enriched by enterprise data, enabling us to cost-effectively store over 10 petabytes of data with hot retention for over a year and allowing us to provide a ‘single source of truth’ to all of the functions that need access to this data for security, risk and compliance management.
“By 2024, data fabric deployments will quadruple efficiency in data utilization, while cutting human-driven data management tasks in half.”
Source: Gartner® e-book, Understand the Role of Data Fabric, Guide 4 of 5, 2022
Comcast’s security data fabric solution ingests data from multiple feeds, then aggregates, compresses, standardizes, enriches, correlates, and normalizes that data before transferring a full time-series datasets to our security data lake built on Snowflake. Once that enriched data is available, the use cases are endless: Continuous controls assurance, threat hunting, new detections, understanding and baselining behaviors, useful risk models, asset discovery, AI/ML models, and much more. The questions we dare to ask ourselves become more audacious each day.
My dream was to have vast amounts of relevant security data easily actionable within minutes and hours—not days or weeks—and we’ve achieved that using a security data fabric. We’re able to do continual “health checks” on our business and security posture and adapt quickly as threats and business conditions change. Security is a journey, and we are always looking for ways to improve – our security data fabric helps us in that journey. And in doing so, it has made us a part of the digital transformation journey of our entire corporation.
Fast-track the transformation of your security program
The security data fabric that has proven so beneficial to Comcast’s cybersecurity program is being commercialized and offered to large enterprises in a solution we call DataBee®, available through Comcast Technology Solutions. If you’re interested in taking a fresh look at your cybersecurity program with an eye towards digital transformation, check out DataBee and consider using a security data fabric to deliver the big data insights you need to stay ahead of the ever-evolving threat and compliance landscape.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Read More
DataBee is growing fast – join us!
Let’s get right to the point: we’re growing fast and looking for great minds to come with us.
In April, CTS launched DataBee® – Comcast’s innovative cloud-native security, risk and compliance data fabric platform. The original concept of DataBee was designed by Comcast’s CISO organization to gain more security insights using data generated throughout the business and validate the efficacy of our security programs. And we’re excited to share the benefits DataBee with other organizations. As Nicole Bucala, our VP and GM of Cybersecurity said in this blog, DataBee “is solving a problem I’d seen vendors try to address, unsuccessfully, for years: the desire to centralize security, compliance, and business data neatly, sorted and combined elegantly in a single place, from which insights could be derived and actions to be taken.”
Since launch, not only has DataBee gotten a lot of buzz (pun intended), but we continue to identify more use cases that can benefit from it. As a result, Comcast is investing heavily into the future of DataBee, and we’re inviting you to explore a place on our expanding team.
Comcast: a career – and company – you can be proud of
Comcast Technology Solutions is a fantastic place for bright minds and forward-thinkers looking to innovate and evolve with a company they can be proud of. As part of Comcast NBCUniversal, you’ll be joining one of the strongest, most forward-thinking companies in the world, with a multitude of ways to collaborate and evolve your own career path. We’re not just resting on our laurels as a Fortune 40 company – Comcast NBCUniversal has a proud heritage of employee satisfaction, environmental action, and community support:
93% of our employees rate us as a Great Place to Work.
2023 is our tenth consecutive year on the Points of Light Civic 50 list of community-minded companies.
DiversityInc. has recognized us as a Top 20 company for inclusion.
LinkedIn ranks us as #13 in their list of top companies to work for.
Open positions: just a start
Creative thinkers and great “people people” are expanding DataBee’s reach across complex industries that need a better way to not only protect themselves, but to do more with their data. Our engineering and sales teams are thriving with professionals who are building the future of data.
Click here to check out our current open positions.
Strategic Account Executive (Virtual)
Cybersecurity Field GRC Architect (Colorado, Virtual)
Cybersecurity Software Developer (Virtual)
Principal DevOps Engineer (Virtual)
Principal DevOps Engineer (Virtual)
UI Full Stack Developer (Virtual)
UI Full Stack Developer (Virtual)
Cybersecurity Platform Engineer (Virtual)
Sr. Manager Development Operations (Virtual)
Data Solutions Engineer (Virtual)
Cybersecurity Principal SaaS Architect (Virtual)
Cybersecurity Data Scientist Manager (Virtual)
Cybersecurity Data Analysis Manager (Virtual)
Cybersecurity Dataflow Software Engineering Manager (Virtual)
Senior Director Product Manager, Data Fabric Platform (Virtual)
Director Product Manager, Data Fabric (Virtual)
Please don’t hesitate to reach out to me personally on LinkedIn – we can talk about DataBee’s plans, your career goals, and where we might find a place to work together. There’s a lot more to come; DataBee is just starting to take flight.
Read More
Introducing DataBee: Sweetening the Security, Risk and Compliance Challenges of the Large Enterprise
Today, the Comcast Technology Solutions (CTS) cybersecurity business unit announced DataBee®, a cloud native security, risk and compliance data fabric platform. DataBee marks the first “home grown” product from this business unit and – like the other great products and platforms offered across the CTS suite – brings to market a solution originally developed for Comcast’s own use.
A security data fabric built by security professionals for security professionals
At its essence, DataBee weaves together disparate security data from across your technology stack into a single fabric where it is standardized, sharable, and searchable for analyses, monitoring, and reporting at scale. While the concept of a data fabric has been around for some time, you may not have yet come across a “security data fabric.” That’s because it’s time to bring security into the data fabric equation.
DataBee was inspired by Comcast’s internal security and compliance teams. The proliferation of cybersecurity tools and voluminous amounts of data made it difficult to combine for a unified view, creating silos while being costly to store and analyze. In much the same way a data fabric is used for streamlining access to and sharing data in distributed data environments, DataBee security data fabric combines data sources, data sets, and controls from various security tools to bring security data to the organization’s global data strategy.
After data is taken in from all the various feeds, DataBee aggregates, compresses, standardizes, enriches, correlates and normalizes it before transferring a full historical, time-series dataset to a data lake where data is stored. Enter Snowflake…
DataBee delivers a security data fabric for customers on the Snowflake Data Cloud
With Comcast Technology Solutions’ launch of DataBee, we’re proud to announce a strategic partnership with Snowflake, the Data Cloud company. DataBee is integrated with Snowflake, enabling customers to quickly and easily connect DataBee to their Snowflake instance where data is stored and processed.
The unique architecture of the Snowflake platform separates “compute” from “storage”, enabling organizations to scale up or down as needed, and store and analyze large volumes of data in a cost-effective way. This not only reduces costs but also provides flexibility, speed, and scalability, making it an ideal choice for storing security data.
After DataBee parses, flattens, and normalizes data for analysis, Snowflake’s platform is able to store substantial volumes of data for an extended period of time—historically a big challenge for cybersecurity solution providers—while driving down costs and maintaining high performance. The robust analytics enables teams across the organization to leverage the same dataset for high fidelity analysis, decisioning, response, and assurance outcomes without worrying about retention limits.
Normalized and enriched data from Snowflake can be exported into a customer’s business intelligence (BI) tool such as Tableau or PowerBI, generating more actionable reporting and metrics. Threat hunters also experience enhanced capabilities by using the same, clean data with tools of their choice, such as Jupyter Notebooks, enabling them to identify real threats faster as they conduct their investigation across large-scale datasets. Further, the enriched data from DataBee can be joined with additional datasets from the Snowflake Marketplace to derive additional insights.
DataBee provides security, risk and compliance capabilities for customers looking to create a security data lake strategy with their cloud data platform.
Cloud-native security and compliance data fabric at scale
Enabling a unified global data strategy with DataBee
DataBee combines the business context needed by security, risk and compliance teams to protect an organization’s people and assets. These teams include threat hunters, data scientists, security operations center (SOC) analysts, compliance and audit specialists, and incident responders. This unified view of critical security data with business context enables people in these roles to rapidly identify real threats and manage compliance.
Some use cases include:
Compliance: For continuous controls assurance for security controls such as Endpoint Detection and Response (EDR) coverage, asset management, vulnerability management, and more. DataBee provides near real-time visibility into an organization’s compliance and risk posture.
Threat Hunting: Designed for faster time-to-detection by enabling threat hunters to conduct automated and deeper searches with the ability to run multiple hunts at once.
Data Modeling: For supporting and building machine learning models. DataBee provides threat detection teams with time-series analytics to create machine-learning based detection.
SIEM Decoupling: Separate the storage of data that typically goes into a SIEM solution from your analytical layer. Cleansing data at the upstream results in SIEM cost reduction and highly performative analysis.
Behavior Baselining with Anomaly Detection: With your data in a clean, sharable, and usable format, security teams can easily understand user and device behavior and to rapidly detect and take action on any anomalies.
The real-world benefits of a security data fabric
The security data fabric architecture built and implemented by Comcast’s security team has yielded impressive results for the broader security, risk and compliance teams across the organization. In our own use we saw:
Daily data throughput reductions in our SIEM resulting in a 30% decrease in the cost of our security operations
3x faster threat detection
35% noise reduction in the data sets users work with
Faster compliance answers as a result of streamlined compliance reporting and automated queries
These results validate the very positive impact that bridging the worlds of data and security can have on an organization, and that we want other enterprises to benefit from through DataBee. When organizations have clean, sharable data to leverage that adds business context to security events, security teams can identify and detect real threats quickly and compliance teams can validate and achieve continuous compliance assurance while reducing costs for data storage and SIEM throughput. By bringing data fabric to the enterprise security tool chest, DataBee improves their security, risk and compliance posture.
Indeed, security is now all about the data. Businesses have made significant investments in their security teams and the solutions they use to protect the business. However, if all of these tools are working in silos and independent of the larger business context, they will still be inadequate at detecting and protecting an organization from cyberthreats.
By bringing security under their global data strategy, organizations will have more actionable insights, reduced false positive findings, the ability to conduct threat hunting across large-scale data sets, and achieve near real-time visibility into their compliance and risk posture.
Meet DataBee at RSA
The DataBee team will be hosting exclusive events and meetings during the RSA Conference in San Francisco. Check out our itinerary:
A Recipe for Security Data Lake Success, a breakfast event on April 26, 2023 at 8:30am
Request a meeting with the DataBee executive team
Learn more about DataBee and download our data sheet
The Future of Cybersecurity Brought Me to Comcast, a blog by Nicole Bucala, VP & GM, Cybersecurity Suite
Read More
The Future of Cybersecurity Brought Me to Comcast
Comcast Technology Solutions is proud to announce that Nicole Bucala has been brought on board to lead our new Cybersecurity business unit as its Vice President and General Manager. We asked Nicole to share the reasons why, as a cybersecurity leader, she made the choice to join us – and to set the stage as we bring Comcast’s scale and innovation to bear for the security needs of industries around the world.
When I was approached to join Comcast last summer to lead its new SaaS enterprise cybersecurity business unit, I was both skeptical and intrigued. Skeptical for the obvious reasons: there aren’t many stellar success stories about a diversified global conglomerate getting into enterprise cybersecurity, which is a complex and challenging market. Yet at the same time, Comcast was approaching its foray into enterprise cybersecurity in a way I hadn’t seen anyone try before. Comcast was, in fact, choosing to bring its own chief information security officer’s (CISO) inventions to market. This meant that Comcast was commercializing proven, accepted product concepts in use by experts, internally, and at scale.
Why did this scream out to me as powerful? Well, for those of us who’ve sold security to Comcast before, we know their security organization is staunch. The stakes are high when trying to secure critical infrastructure at scale. Staffed with over a thousand security professionals, Comcast builds many of its own security technologies to cater to its size and scale, as well as to address the advanced threats and increasing regulatory scrutiny it must withstand. In addition, Comcast is a Fortune 30, highly profitable company that has a substantial, wisely allocated security investment profile. So, anything built internally has to improve security efficacy, work at Comcast scale AND be cost-effective enough to save the organization money overall – a key value proposition that can immediately differentiate a commercial security offering.
At the time, I was employed at Zscaler, in charge of building innovative partnerships with the largest global conglomerates, which entailed designing and launching Zscaler’s zero trust innovations to the forefront of the next major adjacencies: 5G, operational technology (OT), IoT, and application security. I was working at the fastest growing public company in cyber, leading a phenomenal team, working for incredibly inspiring executives, and I had zero intention of leaving. Yet, to the surprise (and perhaps caution) of many around me, I made the leap, and I don’t regret it.
Here are five reasons why Comcast is poised to win in its new adventure, and I consider myself fortunate to be a leader of this amazing team:
The solutions we are commercializing are imagined, designed, built and used by Comcast itself. I have been surprised to learn that this translates to a solution that both saves an organization money, and can be sold in a differentiated manner. Comcast is a financially driven company with a high bar for the effectiveness of its technologies; so for any internally built solution to survive, it has to be efficient and cost effective at scale. In addition, from a commercialization perspective I’ve found that practitioner-to-practitioner conversations are naturally laden with inherent trust. When we are talking with the CISO of another Fortune 100 company about our solution, we are able to get to a much more ‘real’ level of talk, faster, when compared generally to customer calls I attended as an employee of a pure-play cybersecurity vendor. There’s a simple reason for this inherent trust: When you’re a practitioner looking to help other practitioners, you have a grounded level of understanding in the pros and cons of the solution you’re discussing. You know the essence of the pain points it addresses. You know, with precision, the outcomes you saw. And yes, you have experienced issues with the solution, because nothing is perfect – and you have resolutions to them that worked. What this means, is that other practitioners can trust that your knowledge of the solution is accurate and pertinent.
Comcast’s solution is a novel architectural approach that solves a long-standing pain point for security and compliance teams. The proposed solution is solving a problem I’d seen vendors try to address, unsuccessfully, for years: the desire to centralize security, compliance, and business data neatly, sorted and combined elegantly in a single place, from which insights could be derived and actions to be taken. Back in 2019, RSA Security’s annual industry conference had a theme of Business-Driven Security. That was also the first year that Extended Detection and Response (XDR) became a “real thing.” Vendors had dreams of combining enterprise and security data and controls to create a single source of truth and single pane of glass for investigations and compliance assurance, replete with business-oriented risk analytics for C-suites and boards. It’s now 2022, and XDR still hasn’t caught on the way practitioners hoped. I had seen other companies try to create similar solutions to the problem but they were unable to identify an architecture that didn’t skyrocket the storage costs, or were unable to make the product reliably scale for Fortune 50 accounts, or the system was “closed” such that only certain security personas could use it in prescribed ways. And so, I was delighted to see that Comcast had figured out an elegant new scalable, open architecture that saved money, while also being built on all the latest cloud-based tech.
This cloud-native platform was a new class of tech: a security, risk and compliance data fabric platform. It sat between a customer’s data sources, data lake, and analytical tools, achieving a true decoupling of security & compliance data ingest, from data storage, from the analytical layer. It ingests and transforms data such that a compressed, normalized, enriched, and time-series dataset is stored in a single data lake, in a way that reduces your SIEM costs by at least 30% and yields detections 3x faster. With approximately 100 data feeds from the top security and compliance tools today, protecting an enterprise with ~150K workforce, millions of endpoints and saving $15M+ in costs, the Comcast solution was proven to have profound impact in several ways. For a company with a huge amount of data to contend with, this single invention has changed how Comcast does security, for the better.
Comcast offers a proven model for commercializing in-house inventions. The new cybersecurity business unit is housed in Comcast Technology Solutions (CTS), the division within Comcast that takes internally developed technology and makes it available to other enterprises. CTS has successfully commercialized several other internal inventions, including those in content and streaming, advertising, communications infrastructure, and other technology. CTS offers its business units much flexibility and autonomy, which means that as the leader of the cybersecurity BU, I’d have the ability to set up new sales channels, billing and payment methods, and bring on new types of roles and talent.
Comcast offers excellent security career development. Believe it or not, I considered the chance to work with a large team of security practitioners to be a rare learning opportunity for someone whose career was largely on the commercial security vendor side. For years, I’d worked at security vendors who’d revered CISOs, trying to understand their motives, desires, anxieties and doubts… but never had I worked directly with one or one’s team closely over an extended period of time. I also had hired a few leaders in the past who’d worked as SOC analysts early in their careers, and saw they had a really grounded orientation around security products that everyone else on the security vendor side seemed to lack. By being embedded with practitioners, you simply get a better innate sense of the real problems, and can discern which security innovations will provide lasting value. It eliminates the element of guesswork that, no matter how many customer conversations you have, is otherwise unavoidably part of the product development process at traditional security vendors, unless you are also a stereotypical customer yourself.
Passion, and the benefit of being naive. The employees at Comcast who are working on commercializing this offering are without a doubt, by and large, some of the most passionate people I have worked with in my career. There is often a stereotype that employees of big companies work 9-5, but I have found the opposite to be true at Comcast: everyone is routinely working at all hours of the day to make this program a success. I can’t remember who said it, but there’s a famous saying out there that passionate people almost always succeed at their mission. They almost always achieve more than someone who lacks passion. Furthermore, the fact that Comcast is newish to selling SaaS security solutions to large enterprises is, in many ways, a blessing. The battle scars of “experience” can sometimes be a negative: they can cloud judgment, cause risk intolerance, and damper innovation. Grit, determination, and a willingness to learn can almost always make up for a lack of experience.
Over the next year, we have set some really exciting and daunting goals. We are launching a Generally Available first version of DataBee®, along with iterative releases every few months. We are going to build our brand in enterprise security. We are going to sign some fantastic strategic design partners. We will build relationships with strategic technology and go-to-market partners. I’ll be building out my team of product development, marketing, sales, business development and operations professionals, and I would be very excited to bring along some of the top talent in cyber. Feel free to contact me if you want to learn more about how to become part of the amazing team here at Comcast!
Upcoming virtual event: Top 5 Predictions For the Future of Security Data Lakes Webinar
In the past year, security teams have had to endure many new cybersecurity challenges—from managing hybrid work environments to sustaining major ransomware attacks, catastrophic vulnerabilities, and supply chain risks. As an industry, we must take a step back and look at these challenges from a different angle. We should rethink the technologies and data architectures that are in place today to understand why they are no longer serving their purpose.
Register here.
Interested in joining the CTS Cybersecurity team? We are hiring for the following roles.
United States Based Positions
India Based Positions
Sr Manager, Marketing (Brand & Thought Leadership)
QA Manager
BluVector (Federal Government) ATD/ATH Customer Support & Professional Services Lead
Software Development Manager:
Manager, Software Development
Manager, Software Development
Development Engineer 4:
Development Engineer 4
Development Engineer 4
Development Engineer 4
Development Engineer 4
Development Engineer 3:
Development Engineer 3
Development Engineer 3
Development Engineer 3
Development Engineer 3
Development Engineer 3
Development Engineer 3
Development Engineer 3
SDET Engineer 3:
Quality & Automation Engineer 3
Quality & Automation Engineer 3
Quality & Automation Engineer 3
Quality & Automation Engineer 3
Learn more about the DataBee Hive.
Read More
Implementing Zero Trust Principles at Scale
The recently released OMB memo M-22-09 is a step toward bringing federal agencies in line with what many organizations in the private sector have been working toward for a while now – constructing a Zero Trust Architecture.
We discussed the strategic implications of this federal directive in a previous article and would like to also offer a tactical perspective on meeting these requirements from a decade of experience developing machine learning cybersecurity technology with the U.S. Government.
Beyond adopting a new buzz word, embracing Zero Trust means remastering the tested principle of trust nothing, verify everything in order to secure a network with untold endpoints geographically dispersed over a landscape fraught with increasingly sophisticated cyberattacks.
Encrypt data in motion
This includes internal and external data flows, as well as applications – even email. A vital first step is to encrypt all DNS traffic using DoH/DoT today and encrypting all HTTP traffic using TLS 1.3. While doing so you don’t want to compromise security monitoring so make sure to implement local DNS resolvers whose logs can be used to analyze the clear-text requests.
From a castle to the cloud
As the requirement to support remote users increases, embracing the security features resident in cloud computing certainly a critical first step to safely enable access from the Internet for both employees and partners. Following this macro-level migration trend of large IT organizations clearly recognizes that many cloud providers have already adapted to some measure of Zero Trust Architecture but there is not a one size fits all for every organization and their cybersecurity risks. Of course, no transition happens overnight and there will be some services that never do. For those use cases, we’ll still need to secure and monitor the needed on-premises resources as part of the broader security posture.
Logical segmentation
The federal directive to develop and implement a logical micro-segmentation or network-based segmentation is clear in the memo. The challenge then becomes finding ways to limit and, if necessary, quickly identifying the lateral movement of any adversary who might gain a foothold within your network is imperative going forward.
AI enabled hunting
Endpoint security certainly plays a role in moving toward Zero Trust, but as EO 14028 emphasizes this also involves developing a real-time hunting capability rooted in machine learning. And to effectively hunt government-wide, and most critically address the rise of zero-day attacks, collection of telemetry from systems without EDRs installed is invaluable – since an adversary would simply hide where the defenses are weakest. Achieving Zero Trust isn’t just about prevention, but comprehensive and continuous monitoring.
Hundreds of thousands of new malware variants are being developed daily. Global ransomware attacks rose by 151% last year1 and the average recovery cost per incident more than doubled to $1.8 million.2 This memo codifies what those stats make clear – in order to secure our nation’s vital infrastructure, we need intelligent solutions that go beyond monitoring systems for known threats.
BluVector provides advanced machine learning cybersecurity technology to commercial enterprise and government organizations. Our innovative AI empowers frontline professionals with the real time analytics required to secure the largest systems at scale.
Learn more about our philosophy of Zero Trust and understand how we deploy within existing security stacks. For more BluVector thought leadership on ZeroTrust, read Zero Trust: A Holistic Approach by Travis Rosiek.