The challenges of a converged security program
It’s commonplace these days to assume we can learn everything about someone from their digital activity – after all, people share so much on social media and over digital chats. However, advanced threats are more careful on digital. To catch advanced threats, therefore, combining insights from their actual activities in the world on a day-to-day basis with their digital communications and activity can provide a better sense if there’s an immediate and significant threat that needs to be addressed.
Let’s play out this insider threat scenario. While this scenario is in the financial services sector, with quick imagination, a security analyst could see applicability to other sectors. An investment banking analyst, Sarah, badges into a satellite office on a Saturday at 7 pm. Next, she logs onto a workstation, and prints 200 pages of materials. These activities alone, could look innocuous. But taken together, could there be something more going on?
As it turns out, Sarah tendered her resignation the prior Friday with 14 days notice. She leaves that Saturday night with two paper bags of confidential company printouts in tow to take to her next employer – a competing investment bank - to give her an edge.
A complete picture of her activity can be gleaned with logs from a few data sources:
HR data showing her status as pending termination, from a system like Workday or SAP
Badge reader logs
Sign in logs
Print logs
Video camera logs, from the entry and exit way of the building
While seemingly simple, piecing all this information together and taking steps to stop the employee’s actions or even recover the stolen materials is non-trivial. Today, companies are asking themselves, what type of technology is required to know that her behavior was immediately suspicious? And what type of security program can establish the objectives and parameters for quickly catching this type of insider threat?
What is a converged security program?
In the above scenario, sign-in logs and print logs alone aren’t necessarily suspicious. The suspicion level materially increases when you consider the combined context of her employment status with the choice of day and time to badge into the office. As such, converged security dataset analysis brings together physical security data points, such as logs from cameras or badge readers in the above example, and digital insights from activity on computers, computer systems or the internet. If these insights are normalized into the same dataset with clear consistency across user and device activity, they can be analyzed by physical security or cybersecurity analysts for faster threat detection. Furthermore, such collaboration can give way to physical and cybersecurity practitioners establishing a converged set of policies and procedures for incident response and recovery.
In his book, Roland Cloutier describes three important attributes of a converged security function:
One Table: everyone sitting together to discuss issues and create a sense of aligned missions, policies, and procedures for issue detection and response.
Interconnected Issue Problem Solving: identifying the problem as a shared mission and connecting resources in a way that resolves problems faster.
Link Analysis: bringing together data points about an issue or problem and correlating them to gain insights from data analytics.
Challenges of bringing together physical and information security
In today’s environment, the challenges of intertwining physical and digital security insights are substantial. Large international enterprises have campuses scattered across the world and a combination of in-office and remote workers. They may face challenges when employee data is fragmented across different physical and digital systems. Remote workers often don’t have physical security log information associated with their daily activity because they work from the confines of their homes, out of reach of corporate physical monitoring.
The modern workforce model further complicates managing physical and digital security as organizations contend with the:
Rise of remote work
Demise of the corporate network
Usage of personal mobile devices at work
Constant travel of business executives
A worker can no longer be tracked by movement in the building and on the corporate network. Instead, the person’s physical location and network connections change throughout the day. Beyond the technical challenges, organizations face hierarchical structure and human element challenges.
Many companies separate physical security from cybersecurity. One reason for this is that a different skillset may be required to stop the threats. Yet, there is value in the two security leaders developing an operating model for collaboration centers on a global data strategy with consistent and complete insights from the physical security and cybersecurity tools.
Consider a model to do so that revolves around 3 principles:
Common data aggregation and analysis across physical and cybersecurity toolsets
Resource alignment for problem solving and response in the physical security org and the cybersecurity group.
A common set of metrics for accountability across the converged security discipline
Diverse, disconnected tools
This is the problem cybersecurity faces, but this time on a wider scale. Each executive purchases tools for monitoring within their purview. They get data.
However, they either fail to gain insights from it or any insights they do achieve are limited to the problem the technology solves.
Access is a good example:
Identity and Access Management (IAM): sets controls that limit and manage how people interact with digital resources.
Employee badges: set control for what facilities and parts of facilities people can physically access.
Returning to the insider threat that Sarah Smith poses: the CISO’s information security organization has visibility into sign in and print logs but would have to collaborate with the CSO’s physical security group for badge logs. This process takes time and, depending on organizational politics, potentially requires convincing.
The siloed technologies could potentially create a security gap when the data remains uncorrelated:
The sign in and print logs alone may not sufficiently draw attention to Sarah’s activities in the CISO’s organization.
Badge in logs in the CSO’s organization may not draw an alert.
HR data, such as employment/termination status, may not be correlated in either the CISO’s or CSO’s available analytical datasets.
Without weaving the various data sources together into one story, Sarah’s behavior has a high risk of going completely undetected – by anyone.
In a converged program, IAM access and badge access would be correlated to improve visibility. In a converged program with high security data maturity, the datasets would provide a more complete picture with insights that correlate HR termination status, typical employee location, and more business context.
Resource constraints
The challenge of resource alignment often begins by analyzing constraints. Both physical and digital security costs money. Many companies view these functions as separate budgets, requiring separate sets of technologies, leadership, and resources.
Converged security contemplates synergies where possible overlaps can potentially reduce costs. For example:
Human Resources data: identifying all workforce members who should have physical and digital access.
IT system access: determining user access where HR is the source underlying Active Directory or IGA birthright provisioning and automatic access termination.
Building access: badges provisioning and terminating physical access according to HR status
The HR system, sign on system, and badge-in system each serve a separate recordation purpose, which can then provide monitoring functionality. However, by keeping insights from daily system usage separate, the data storage and analysis can grow redundant. As Cloutier notes, “siloed operations tend to drive confusion, frustration, and duplicative work streams that waste valuable resources and increase the load on any given functional area.” (24)
Instead, imagine if diverse recordation systems output data to a single location that parsed, correlated, and enriched data to create user profiles and user timelines so cross-functional teams with an interdisciplinary understanding of threat vectors could analyze it. In such an organization, this solution could
Reduce redundant storage.
Eliminate manual effort in correlating data sources from different systems.
Save analysts time by having all the data already in one spot (no need for gathering in the wake of an incident.
Allow for more rapid detection and response.
Metrics and accountability
Keeping physical security separate from cybersecurity can create the risk of disaggregated metrics and a lack of accountability. People must “compare notes” before making decisions, and the data may have discrepancies because everyone uses different technologies intended to measure different outcomes.
These data, tool, and operations silos can create an intricate, interconnected set of overlapping “blurred lines” across:
Personal/Professional technologies
Physical/Digital security functions
In the wake of a threat, the last thing people want to do is increase the time making decisions or argue over accountability, which can quickly spiral into conversations of blame.
Imagine, instead, a world in which the enterprise can make security a trackable metric. Being able to track an end goal – such as security, whether physical or digital – makes it easier to
Hold people accountable.
Make clear decisions.
Take appropriate action.
A trackable metric is only as good as the data that can back it up. Converged security centers around the concept of a global security data strategy that provides an open architecture for analyses that answer different questions while using a commonly accessed, unified data set that diverse security professionals accept as complete, valid, and the closet thing they can get to the “source of truth”.
Weaving together data for converged security with DataBee™
DataBee by Comcast Technology Solutions fuses together physical and digital security data into a data fabric architecture, then enriches it with additional business information, including:
Business policy context
Organizational hierarchy
Employment status
Authentication and endpoint activity logs
Physical bad and entrance logs
By weaving this data together, organizations achieve insights using a transformed dataset mapped to the DataBee-extended Open Cybersecurity Framework Scheme (OCSF). DataBee EntityViewsTM uses a patent-pending entity resolution software that automatically unifies disparate entity pieces across multiple sources of information. This enables many analytical use cases at speed and low cost. One poignant use case includes insider threat monitoring with a comprehensive timeline of user and devices activity, inside a building and when connected to networks.
The DataBee security data fabric architecture solves the Sarah problem, by weaving together in on timeline:
Her HID badge record from that Saturday’s office visit
The past several months of HR records from Workday showing her termination status.
Her Microsoft user sign-in to a workstation in the office
The HP print logs associated with her network ID and a time stamp.
DataBee empowers all security data users within the organization, including compliance, security, operations, and management. By creating a reliable, accurate dataset, people have fast, data-driven insights to answer questions quickly.
Read More
Vulnerabilities and misconfigurations: the CMDB's invasive species
“Knowledge is power.” Whether you attribute this to Sir Francis Bacon or Thomas Jefferson, you’ve probably heard it before. In the context of IT and security, knowing your assets, who owns them, and how they’re connected within your environment are fundamental first steps in understanding your environment and the battle against adversaries. You can’t place security controls around an asset if you don’t know it exists. You can’t effectively remediate vulnerabilities to an asset without insight into who owns it or how it affects your business.
Maintaining an up-to-date configuration management database (CMDB) is critical to these processes. However manually maintaining the CMDB is unrealistic and error-prone for the thousands of assets across the modern enterprise including cloud technologies, complex networks, and devices distributed across in-office and remote workforce users complicate this process. To add excitement to these challenges, the asset landscape is everchanging for entities like cloud assets, containers virtual machines, which can be ephemeral and become lost in the noise generated by the organization's hundreds of security tools. Additionally, most automation fails to link business users to the assets, and many asset tools struggle to prioritize assets correlating to security events, meaning that companies can easily lose visibility and lack the ability to prioritize asset risk.
Most asset management, IT service management (ITSM), and CMDBs focus on collecting data from the organization’s IT infrastructure. They ingest terabytes of data daily, yet this data remains siloed, preventing operations, security, and compliance teams from collaborating effectively.
With a security data fabric, organizations can break down data silos to create trustworthy, more accurate analytics that provide them with contextual and connected security insights.
The ever-expanding CMDB problem
The enterprise IT environment is a complex ecosystem consisting of on-premises and cloud-based technologies. Vulnerabilities and misconfigurations are an invasive species of the technology world.
In nature, a healthy ecosystem requires a delicate balance of plants and organisms who all support one another. An invasive species that disrupts this balance can destroy crops, contaminate food and water, spread disease, or hunt native species. Without controlling the spread of invasive species, the natural ecosystem is at risk of extinction.
Similarly, the rapid adoption of cloud technologies and remote work models expands the organization’s attack surface by introducing difficult-to-manage vulnerabilities and misconfigurations. Traditional CMDBs and their associated tools often fail to provide the necessary insights for mitigating risk, remediating issues, and maintaining compliance with internal controls.
In the average IT environment, the enterprise may combine any of the following tools:
IT Asset Management: identify technology assets, including physical devices and ephemeral assets like virtual machines, containers, or cell phones
ITSM: manage and track IT service delivery activities, like deployments, builds, and updates
Endpoint Management: manage and track patches, operation systems (OS) updates, and third-party installed software
Vulnerability scanner: scan networks to identify security risks embedded in software, firmware, and hardware
CMDB: store information about devices and software, including manufacturer, version, and current settings and configurations
Software-as-a-Service (SaaS) configuration management: monitor and document current SaaS settings and configurations
Meanwhile, various people throughout the organization need access to the information that these tools provide, including the following teams:
IT operations
Vulnerability management
Security
Compliance
As the IT environment expands and the organization collects more security data, the delicate balance between existing tools and people who need data becomes disrupted by newly identified vulnerabilities and cloud configuration drift.
Automatically updating the CMDB with enriched data
In nature, limiting an invasive species’ spread typically means implementing protective strategies for the environment that contain and control the non-native plant or organism. Monitoring, rapid response, public education, and detection and control measures are all ways that environmentalists work to protect the ecosystem.
In the IT ecosystem, organizations use similar activities to mitigate risks and threats arising from vulnerabilities and misconfigurations. However, the time-consuming manual tasks are error-prone and not cost-efficient.
Connect data and technologies
A security data fabric ingests data from security and IT tools, automating and normalizing the inputs so that the organization can gain correlated insights from across a typically disconnected infrastructure. With a vendor agnostic security data platform connecting data across the environment, organizations can break down silos created by various schemas and improve data’s integrity.
Improve data quality and reduce storage costs
By applying extract, transform, and load (ETL) pipelines to the data, the security data fabric enables organizations to store and load raw and optimized data. Flattening the data can reduce storage costs since companies can land it in their chosen data repository, like a data lake or warehouse. Further, the data transformation process identifies and can fix issues that lead to inaccurate analytics, like:
Data errors
Anomalies
Inconsistencies
Enrich CMDB with business information
Connecting asset data to real-world users and devices enables organizations to assign responsibility for configuration management. Organizations need to correlate their CMDB data with asset owners so that they can assign security issue remediation activities to the right people. By correlating business information, like organizational hierarchy data, with device, vulnerability scan, and ITSM data, organizations can streamline remediation processes and improve metrics.
Gain reliable insights with accurate analytics
Configuration management is a critical part of an organization’s compliance posture. Most security and data protection laws and frameworks incorporate configuration change management and security path updating. With clean data, organizations can build analytics models to help improve their compliance outcomes. To enhance corporate governance, organizations use their business intelligence tools, like Power BI or Tableau, to create visualizations so that senior leadership teams and directors can make data-driven decisions.
Maintain Your CMDB’s delicate ecosystem with DataBee
DataBee™ from Comcast Technology Solutions is a security data fabric that ingests data from traditional sources and feeds then supplements that with business logic and people information. The security, risk, and compliance platform engages early and often throughout the data pipeline leveraging metadata to adaptively collect, parse, correlate, and transform security data to align it with the vendor-agnostic DataBee-extended Open Cybersecurity Framework Schema (OCSF).
Using Comcast’s patent-pending entity resolution technology, DataBee suggests potential asset owners by connecting asset data to real-world users or devices so organizations can assign security issue remediation actions to the right people. With a 360 view of assets and devices, vulnerability and remediation management teams can identify critical and low-priority entities to help improve mean time to detach (MTTD) and mean time to respond (MTTR) metrics. The User and Device tables supplement the organization’s existing CMDB and other tools, so everyone who needs answers has them right at their fingertips.
Read More
Continuous controls monitoring (CCM): Your secret weapon to navigating DORA
Financial institutions are a critical backbone of the local and geographical – and world – economy. As such the financial services industry is highly regulated and often faces new compliance mandates and requirements. Threat actors target the industry because it manages and processes valuable customer personally identifiable information (PII) such as account, transaction, and behavioural data.
Maintaining consistent operations is critical, especially in an interconnected, global economy. To standardise processes for achieving operational resilience, the European Parliament passed the Digital Operational Resilience Act (DORA).
What is DORA?
DORA is a regulation passed by the European Parliament in December of 2022. DORA applies to digital operational resilience for the financial sector. DORA entered into force in January of 2023, and it applies as of January 17, 2025.
Two sets of rules, or policy products, provide the regulatory and implementation details of DORA. The first set of rules under DORA were published on January 17, 2024, and consist of four Regulatory Technical Standards (RTS) and one Implementing Technical Standard (ITS). It is worth noting that not all the RTSes contain controls that financial entities need to implement. For example, JC 2023 83, the “Final Report on draft RTS on classification of major incidents and significant cyber threats,” provides criteria for entities to determine if a cybersecurity incident would be classified as a “major” incident according to DORA. The public consultation on the second batch of policy products is completed, and the feedback is being reviewed prior to publishing the final versions of the policies. Based on the feedback received from the public, the finalised documents will be submitted to the European Commission July 17, 2024.
What is Continuous Controls Monitoring (CCM), and how can it help?
DORA has a wide-ranging set of articles, many of which require the implementation and monitoring of controls. Organisations can use a continuous controls monitoring (CCM) solution, which is an emerging governance, risk and compliance technology, to automate controls monitoring and reduce audit cost and stress. When choosing a CCM solution for DORA, consider a data fabric platform that brings together data from enterprise IT and cybersecurity tools and enriches it with business data to help organisations apply data analytics for measuring and reporting on the effectiveness of internal controls and conformance to laws and regulations. The following are examples of how CCM could be used to support DORA compliance.
Continuous Monitoring:
Article 9 of DORA, Protection and prevention, explains that to adequately protect Information and Communication Technologies (ICT) systems and organise response measures, “financial entities shall continuously monitor and control the security and functioning of ICT systems.” Similarly, Article 16, Simplified ICT risk management framework, requires entities to “continuously monitor the security and functioning of all ICT systems.”
Additionally, Article 6 requires financial entities to “minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools.” It goes on to require setting clear objectives for information security that include Key Performance Indicators (KPIs), and to implement preventative and detective controls. Reporting on the implementation of multiple controls, combining compliance data with organizational hierarchy, and reporting on KPIs are all tasks that CCM excels at. When choosing a CCM solution for DORA, consider one that supports uninterrupted oversight of multiple controls by automating the ingestion of data, formatting it, and then presenting it to users through the business intelligence solution of their choice.
The Articles of JC 2023 86 the “Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework” contain many ICT cybersecurity requirements that are a natural fit to be measured by CCM. Here are some examples of these controls:
Asset management: entities must keep records of a set of attributes for their assets, such as a unique identifier, the owner, business functions or services supported by the ICT asset, whether the asset is or might be exposed to external networks, including the internet, etc.
Cryptographic key management: entities need to keep a register of digital certificates and the devices that store them and must ensure that certificates are renewed prior to their expiration.
Data and system security: entities must select secure configuration baselines for their ICT assets as well as regularly verifying that the baselines are in place.
A CCM solution that is built on a platform that correlates technical and business data supports security, risk, and compliance teams for building accurate, reliable reports to help measure compliance. It provides consistent visibility into control status across multiple teams throughout the organisation. This reduces the need for reporting controls in spreadsheets and in multiple dashboards, helping business leaders make more immediate and data-driven governance decisions about their business.
Executive Oversight:
Financial entities are required to have internal governance to ensure the effective management of ICT risk (Article 5, Governance and organisation). CCM solutions that integrate with business intelligence solutions, like Power BI and Tableau, to build executive dashboards and data visualizations can provide an overview of multiple controls through a single display.
Roles and Responsibilities:
DORA Article 5(2)) requires management to “set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions.” A CCM solution that combines organisational hierarchy with control compliance data makes roles and responsibilities explicit, which helps improve accountability across risk, management, and operations teams. That is, a manager using CCM does not have to guess which assets or people that belong to their organisation are compliant with corporate policy, or regulations. Instead, they can easily view their compliance status.
CCM dashboards and detail views provide the specifics about any non-compliant assets such as the asset name, and details of the controls for which the asset is non-compliant. Similarly, CCM can communicate details about compliance for a manager’s staff, such as if mandatory training has been completed by its due date, or who has failed phishing simulation tests.
Coordination of multiple teams:
As the FS-ISAC DORA Implementation Guidance notes, “DORA introduces increased complexity and requires close cross-team collaboration. Many DORA requirements cut across teams and functions, such as resilience/business continuity, cybersecurity, risk management, third-party and supply chain management, threat and vulnerability management, incident management and reporting, resilience and security testing, scenario exercising, and regulatory compliance. As a result, analysing compliance and checking for gaps is challenging, particularly in large firms.”
CCM helps with cross-team collaboration by providing a common, accurate, and consistent view of compliance data, which can reduce overall compliance costs. That is, GRC teams are not tasked with creating and distributing multiple reports for various teams and trying to keep the reports consistent, and timely. Or business teams are no longer responsible for pulling their own reports, overcoming issues with inconsistent or inaccurate reporting from inexperience with the product creating the report, reports being run with different parameters or on different dates, or other differences or errors. CCM helps resolve this issue because it makes the same content, using consistent source data from the same point in time, available to all users.
5 ways how DataBee can help you navigate DORA
The requirements for DORA are organised under these five pillars. How does DataBee help enterprises to comply with each of the five?
1. Information and Communication Technologies (ICT) risk management requirements (which include ICT Asset Management, Vulnerability and patch management, etc.)
DataBee’s Continuous Controls Monitoring (CCM) delivers continuous risk scores and actionable risk mitigation, helping financial entities to prioritize remediation for at-risk resources.
2. ICT-related incident reporting
DORA identifies what qualifies as a “major incident” and must therefore be reported to competent authorities. This is interesting compared to cybersecurity incident reporting requirements from the U.S. Securities and Exchange Commission (SEC) which are based on materiality, but do not provide details about what is or is not material. DORA includes criteria to determine if the incident is “major.” Some examples are if more than 10% of all clients or more than 100,000 clients use the affected service, or if greater than 10% of the daily average number of transactions are affected. Additionally, if a major incident does need to be reported, DORA includes specific information that financial entities must provide. These include data fields such as date and time the incident was detected, the number of clients affected, and the duration of the incident. A security data fabric such as DataBee can help to provide many of the measurable data points needed for the incident report.
3. ICT third-party risk
DataBee for CCM provides dashboards to report on the controls used for the management and oversight of third-party service providers. These controls are implemented to manage and mitigate risk due to the use of third parties.
4. Digital operational resilience testing (Examples include, vulnerability assessments, open-source analyses, network security assessments, physical security reviews, source code reviews where feasible, end-to-end testing or penetration testing.)
DORA emphasizes digital operational resilience testing. DataBee supports this by aggregating and simplifying the reporting for control testing and validation. DataBee’s CCM dashboards provide reporting for multiple controls using an interface that is easily understood, and which business managers can use to readily assess their unit’s compliance with controls required by DORA.
5. Information sharing
As with incident reporting, the data fabric implemented by DataBee supports information sharing. DataBee can economically store logs and other contextual data for an extended period. DataBee makes this data searchable providing the ability to locate, and at the organization’s discretion, exchange cyber threat information and intelligence with other financial entities.
Read More
100% exciting, 100 people strong (and growing)
When you join an organization the size of Comcast, it’s easy for outsiders to see only “Fortune 29 Company!” or “huge enterprise!”. But tell that to the DataBee team – we’ve been in start-up land since October 2022. And it’s been an exciting ride!
DataBee™ is a security, risk and compliance data fabric platform inspired by a platform created internally by Comcast’s global CISO, Noopur Davis, and her cybersecurity and GRC teams. They got such amazing results from the platform that they built and operated for 5 years—from cost savings to faster threat detection and compliance answers, to name a few—that Comcast executives saw the potential to create a business around this emerging technology space. What could provide a better product market fit than real business outcomes from a large, diversified global enterprise data point?
That was back in 2022, and the beginning of the DataBee business unit, which was built and created within Comcast Technology Solutions to bring this security data fabric platform to market. Initially funded with just enough to begin testing the market, it didn’t take long to realize that the opportunity for DataBee was auspicious, and substantial additional financing was provided by Comcast’s CEO in May 2023. One year after raising substantial additional financing from Comcast, I’m proud to say that DataBee has passed the 100-team-member milestone (and growing). I believe it's one of the most exciting cybersecurity start-ups out there. Times ten. (Ok, that’s my enthusiasm spilling over 😉.)
As challenging as fundraising is, staffing a team as large and talent diverse as DataBee has been no small feat, and we’ve done it relatively quickly - across three continents and five countries, no-less. Part of that challenge has been overcoming preconceived notions of who and what Comcast is, especially when you’re recruiting people from the cybersecurity industry. “Wait, what??? Comcast is in the enterprise security business??!!” Yes!
Here's what I’ve learned about hiring on the scale-up journey:
Focus on the mission. Your mission can be the most attractive thing about your business, especially when you’ve zeroed in on addressing an unmet need in the market. In the case of DataBee, our mission has been to connect security data so that it works for everyone. So many talents on the DataBee team have been compelled by the idea of solving the security data problem – too much data, too dispersed, in too many different formats to provide meaningful insights quickly to anyone who needs them. To play a role in fixing this problem? It’s intoxicating.
Look for people who seek the opportunity for constant learning and creativity. “Curiosity” appears at the top of the list of essential qualities in a successful leader, and I understand why. I think of curiosity as a hunger for constant learning and creativity, as well as the courage to explore uncharted territory, and these have been qualities I’ve been looking for as I staff up the DataBee team. These traits aren’t reserved for leaders only; I see them in practice across the whole team, from individual contributors all the way up to department leaders, and I know it’s having a big impact on our ability to rapidly innovate and build solutions that matter. (High energy doesn’t hurt either!)
Be a kind person. The number one thing I hear from my new hires is that they are taken aback by what a nice team I have. This makes me very happy and a little sad all at the same time: happy because I love knowing that the “be a kind person” rule is being put into practice across the DataBee team, but sad because it means that some of our new hires have not experienced kindness in previous jobs. Kindness and competency are not mutually exclusive things, and an environment of benevolence can foster creativity and success.
The funding we’ve received, and the strength, size, and rapid growth of the DataBee team is a testament to the fact that we’ve identified and are working to solve a very real problem being faced by many organizations – data chaos. It’s a problem that exists especially in security, but the rabid interest in artificial intelligence (AI) reminds us that we need to look beyond security data to all data, to ensure that good, clean, quality data is feeding AI systems. For AI to really work its magic, it needs quality data training so that it can deliver amazing experiences.
DataBee is 100 strong and growing, and our security data fabric platform, which is already helping customers manage costs and drive efficiencies, keeps evolving so it can help organizations continue the “shift left” to the very origins of their data. The goal is that quality data woven together, enriched, and delivered by DataBee will ultimately fuel AI systems and help business and technology leaders across the spectrum glean the insights they need for security, compliance, and long-term viability.
Read More
DataBee's guide to sweetening your RSAC experience
Noopur Davis, Comcast’s Chief Information Security Officer recently talked about bringing digital transformation to cybersecurity, where she stated, “The questions we dare to ask ourselves become more audacious each day.” In cybersecurity, this audacity is the spark that ignites innovation. By embracing bold questions answered by connected security data, we can unlock new ideas that transform how we defend our digital world.
This is particularly fitting as the theme for this year's RSA Conference is "The Art of Possible”. With data being so abundant, it’s essential to have immediate and continuous insights to be data-directed when making business decisions and staying ahead of today’s threats, to better enable you in foreseeing tomorrow’s challenges.
Organizations, however, still struggle to pull together and integrate security data into a common platform. This year Techstrong research surveyed cybersecurity professionals in a Pulsemeter report that shares a glimpse into security data challenges and how security data fabrics herald a new era in security data management. According to the survey, 44% of respondents have 0-50% of their security data integrated. This can result in:
Lack of visibility into security and compliance programs
Data explosions and silos
Challenges with evolving regulations and mandates
Difficulties performing analytics at scale
Exorbitant data storage and computing costs
DataBee™ from Comcast Technology Solutions can help overcome these challenges and assist in regaining control over your security data. The DataBee Hive Platform has brought technology to the market that can help with automating data ingestion, validating data quality, and lowering processing costs. This can lead to:
Improved collaboration by working on the same data set
More immediate and connected security data insights
More consistent and accurate compliance dashboards
Better data to power your AI initiatives and capabilities
DataBee is excited to participate in RSAC 2024 and help you achieve these outcomes for your organization.
Where to meet DataBee in Moscone Center
We're thrilled to showcase the DataBee Hive; a security, risk, and compliance data fabric platform designed to deliver connected security data that works for everyone. Buzz by Moscone North Hall and visit our booth #5278. We’ll be showcasing:
How to cost-optimize your SIEM
Reduce security audit stress
Make your CMDB more complete
Get a 360-degree activity view of any asset or user
And more!
Is the expo floor too busy or noisy? You can meet us one-on-one at Marriott Marquis by reserving a more personal conversation with the team.
Make you and RSA Conference a reality
Here's the deal: we want you there! DataBee has two fantastic options to help you attend, claim your ticket here at the RSA Conference website:
🎟️ Free RSA Conference Expo Pass: 52ECMCDTABEXP
🎟️ Discounted Full RSA Conference Pass - Save $150 with code: 52FCDCMCDTABE
Snowflake, DataBee, and Comcast
But wait, there's more! Join us for an evening of conversations, networking, and relaxation at our reception on May 8th, co-hosted with Comcast Ventures, Comcast Business, and Snowflake.
Date: Wednesday, May 8th, 2024
Time: 5:00 pm - 7:00 pm
After you register, keep an eye out for your confirmation email, which will include all the insider details on where to find us. This is your chance to unwind, network with fellow attendees, and forge valuable connections in a more relaxed setting. Register here to secure your spot and receive the location details.
Let's make your RSAC experience the best yet!
The DataBee team is eager to meet you and explore ways we can contribute to your organization's security data maturity journey. We invite you to visit us at booth #5278, network with us at the private reception, grab a photo with our mascot, and snag some bee-themed giveaways! We look forward to seeing you there!
Read More
All SIEMs Go: stitching together related alerts from multiple SIEMs
Today’s security information and event management (SIEMs) platforms do more than log collection and management. They are a critical tool used by security analysts and teams to run advanced security analytics and deliver unified threat detection and search capabilities.
A SIEM’s original purpose was to unify security monitoring in a single location. Security operation centers (SOCs) could then correlate event information to detect and investigate incidents faster. SIEMs often require specialized skills to fine-tune logs and events for correlation and analysis that is written in vendor-specific and proprietary query languages and schemas.
For some enterprises and agencies, it is not uncommon to see multiple SIEM deployments that help meet unique aspects of their cybersecurity needs and organizational requirements. Organizations often need to:
federate alerts
connect related alerts
optimize their SIEM deployments
Managing multiple SIEMs can be a challenge even for the most well-funded and skilled security organizations.
The business case for multiple SIEMs
For a long time, SIEMs worked. However, cloud adoption and high-volume data sources like endpoint detection and response (EDR) tools threw traditional, on-premise SIEMs curveballs. Especially when considering the cost of ingestion-based pricing and on-premise SIEM storage.
While having one SIEM to rule them all (your security logs) is a nice-to-have, organizations often find themselves managing a multi-SIEM environment for various reasons, including:
Augmenting an on-premises SIEM with Software-as-a-Service (SaaS) solutions to manage high-volume logs.
Sharing a network infrastructure with a parent company managing its SIEM while needing visibility into subsidiaries managing their own.
Acquiring companies through mergers and acquisitions (M&A) that have their own SIEMs.
Storing log data’s personally identifiable information (PII) in a particular geographic region to comply with data sovereignty requirements.
Multiple SIEM aggregation with DataBee
Complexity can undermine security operations by causing missed alerts or security analyst alert fatigue. DataBee™ from Comcast Technology Solutions ingests various data sources, including directly from SaaS and on-premises SIEMs, stitching together related event context or alerts to help streamline the identification and correlation process. Alerts are enriched with additional logs and data sources, including business context and asset and user details. With a consistent and actionable timeline across SIEMs, organizations can optimize their investments and mature their security programs.
Normalization of data
An organization with SaaS and on-premises SIEM deployments may want to federate alerts and access to the data through the multiple SIEMs. This can be difficult to aggregate notable events during investigations.
DataBee can receive data from multiple sources including SaaS and on-premises SIEMs. DataBee normalizes the data and translates the original schema into an extended Open Cybersecurity Schema Framework (OCSF) format before sending it to the company’s chosen data repository, like a security data lake. By standardizing the various schemas across multiple SIEMs, organizations can better manage their detection engineering resources by writing rules once to cover multiple environments.
Enhanced visibility and accountability
With proprietary and patent-pending entity resolution technology, DataBee EntityViews ties together the various identifiers for entities, like users and devices, then uses a single identifier for enrichment into the data lake. With entity resolution, organizations can automatically correlate activity across numerous sources together and use that both in entity timelines as well as UEBA models.
Cost optimization for high-volume data sources
The adoption of cloud technologies and endpoint detection and response (EDR) have considerably impacted SIEM systems, creating a notable challenge due to the sheer volume of data generated. This surge in data stems from EDR's comprehensive coverage of sub-techniques, as outlined in the MITRE ATT&CK framework. While EDR solutions offer heightened visibility into endpoint activities, this influx of data overwhelms traditional SIEM architectures. This leads to performance degradation and the inability to effectively process and analyze events. However, leveraging the cost-effective storage solutions offered by data lakes presents a viable solution to this conundrum.
By utilizing data lakes, organizations can store vast amounts of EDR data at scale. This approach can not only alleviate the strain on SIEM systems. but also facilitate deeper analysis and correlation of security events. This empowers organizations to extract actionable insights and bolster their cyber defense strategies. Thus, integrating EDR with data lakes emerges as a promising paradigm for managing the deluge of security data while maximizing its utility in threat detection and response.
Real-Time detection streams
DataBee uses vendor-agnostic Sigma rules that allow organizations to get alerts for data, including forwarded data like DNS records. If the SOC team wants to receive alerts without having to store the data in the SIEM, the detections can be output into the data lake or any SIEM or security orchestration, automation, and response (SOAR) solution, including the original SIEM forwarding the data. By building correlated timelines across user activity between multiple SIEMs, organizations can gain flexibility across SIEM vendors so they can swap between them or trade them out, choosing the best technologies for their use cases rather than the ones that integrate better with current deployments.
Ready to bring together related alerts from multiple SIEMs? Let's talk!
Read More
Seeing the big (security insights) picture with DataBee
The evolution of digital photography mimics the changes that many enterprise organizations face when trying to understand their cybersecurity controls and compliance posture. Since the late 1990s, technology has transformed photograph development from an analog, manual process into a digital, automated field. These images hold our memories, storing points in time that we can look back on and learn from. Cybersecurity, in turn, is experiencing a similar transformation.
When you consider the enterprise data pipeline problem that DataBee™ from Comcast Technology Solutions aims to solve through the everyday lens of creating, storing, managing, and retrieving personal photos, the platform’s evolutionary process and value makes more sense.
Too many technologies generating too much historical data
Portable, disposable Kodak cameras were all the rage in the 1990’s; but it could be days or weeks before you could see what you snapped because films needed to be sent for processing.
Over the 2000s, however, these processes increasingly turned digital, accelerating results dramatically. While high-quality, professional-grade digital cameras aren’t in danger of becoming obsolete, once cell phones with integrated cameras hit the market, they became an easy on-the-go way to capture life’s historical moments even though the picture might not develop until days, weeks, or maybe never as they’re left on the roll of film. Today, people use their smartphone devices lending even more depth and quality as we capture from family gatherings to vacation selfies instantly.
At Comcast, we faced a similar enterprise technology and security data problem. Just as people handle different kinds of images and the technologies that produce them, we have vast amounts of technologies that generate security data. It’s a fragmented, complicated environment that needs to handle rapidly expanding data.
Across the enterprise, Comcast stores and accesses increasingly larger amounts of data, including:
8000 month-by-month scans
1.7 million IPS targeted monthly for vulnerability scanning
7 multiple clouds or hybrid cloud environment
10 petabytes worth of data in our cybersecurity data lake
109 billion monthly application transactions
Finding the right moment in time
Let’s play out a scenario: You let your friend in on a stage in your life where you had bright red hair. Their response? “Pics or it didn’t happen.” To track down the historic photo, it takes immense effort to:
Figure out the key context about where and when it was captured.
Find the source of where the photo could be – is it in a hard drive? A cloud photo album? A tagged image in your social media profile?
Identify the exact photo you need within the source (especially if it is not labeled).
Comcast faced a similar data organization and correlation problem in their audits and their threat hunting. While we were drowning in data, we found that at the same time we were starved for insights. We were trying to connect relevant data to help build a timeline of activity of a user or device but as the data kept growing and security tools kept changing, we found data was incomplete or took weeks' worth of work to normalize and correlate data.
We faced many challenges when trying to answer questions and fractured data sources compounded this problem. Some questions we were asking were – do all the employees have their EDR solution enabled? Is there a user with the highest number of security severities associated to them across all their devices? And on answering these questions quickly and accurately, such as:
People maintaining spreadsheets that become outdated as soon as they’re pulled.
People building Power BI or Tableau reports without having all the necessary data.
Reports that could only be accessed from inside an applications console, limiting the ability to connect them to other meaningful security telemetry and data.
Auditing complex questions can be unexpectedly expensive and time consuming because data is scattered across vast, siloed datasets.
Getting security insights
Going back to the scenario where pictures are stored on all these disparate devices, it initially seems like a reasonable solution to just consolidate everything on an external hard drive. But, to do that, you must know each device’s operating system and how to transfer the images over. They differ in file size, filetype, image quality, and naming convention. While one camera dates a photo as “Saturday January 1, 2000,” another uses “1 January 2000.” In some cases, the images contain more specific data, like hour, minute, and second. Consolidating the pictures in cloud-based storage platforms only solves the storage issues – you still have to manage the different file formats and attached metadata to organize them by the actual date a picture was taken rather than date a batch of photos were uploaded.
Translating this to the security data problem, many organizations find that they have too much data, in too many places, created at too many different times. And said data are in different file types, unique formats, and other proprietary ways of saying the same thing. Consolidating and sorting data becomes chaotic.
As a security, risk, and compliance data fabric platform, DataBee ingests, standardizes, and transforms the data generated by these different security and IT technologies into a single, connected dataset that’s ready for security and compliance insights. This is surprisingly like adding a picture to your “Favorite” folder for easy access. Organizations need to accurately and quickly answer questions about their security and compliance.
The objective at Comcast was to solve the challenge of incomplete and inaccurate insights caused by siloed data stores. DataBee provides the different security data consumers access to analytics-derived insights. The end result enables consistent, data-driven decision making across teams that need accurate information about data security and compliance, including:
Chief Information Security Officer (CISO)
Chief Information Officer (CIO)
Chief Technology Officer (CTO)
Chief Data Officer (CDO)
Governance, Risk, and Compliance (GRC) function
Business Information Security Officer (BISO)
While those people need the insights derived from the platform, we also recognized that the regular users would inhabit many roles:
Threat hunters
Data engineers
Data scientists
Security analytics and engineering teams
To achieve objectives, we started looking at the underlying issue - the data, its quality, and its accessibility. At its core, DataBee delivers ready-to-use content and is a transformation engine that ingests, autoparses, normalizes, and enriches security data with business context. DataBee’s ability to normalize the data and land it in a data lake enables organizations to use their existing business intelligence (BI) tools, like Tableau and Power BI, to leverage analytics and create visualizations.
Transforming data creates a common “language” across:
IT tools
Asset data
Organizational hierarchy data
Security semantics aren’t easy to learn – it can take years of hands-on knowledge on a variety of toolsets. DataBee has the advantage of leveraging learnings from Comcast to create proprietary technology that parses security data, mapping columns and values to references in the Open Cybersecurity Framework (OCSF) schema while also extending that schema to fill in currently existing gaps.
Between our internal learnings and working with customers, DataBee delivers pre-built dashboards that accelerate the security data maturity journey. Meanwhile, customers who already have dashboards can still use them for their purposes. For example, continuous controls monitoring (CCM) dashboards aligned to the Payment Card Industry Data Security Standard (PCI DSS) and National Institute of Technology and Standards Cybersecurity Framework (NIST CSF) offer a “quick start” for compliance insights.
DataBee can help customers achieve various security, compliance, and operational benefits, including:
Reduced security data storage costs by using the Snowflake and Databricks
Gaining insights and economic value by leveraging a time-series dataset
Real-time active detection streams with Sigma rules that optimize SIEM performance
Asset discovery and inventory enrichment to identify and suggest appropriate ownership
Weave together data for security and compliance with DataBee
Want to see DataBee in action and how we can help you supercharge your security, operations, and compliance initiatives? Request a custom demo today.
Read More
Bridging the GRC Gap
Tale as old as time
True as it can be
Barely even friends
Then somebody bends
Unexpectedly
(Menken, Ashman, 1991)
Miscommunication and preconceived notions sit at the core of any frenemies to lovers story. It's a staple in storytelling — two people who initially clash become lovers who understand each other.
In the business world, governance, risk, and compliance (GRC) is seen as something that business, cybersecurity, and IT have to do under duress. The process is time-consuming and perceived as busywork, often taking each group away from their preferred or “more critical” tasks. Without help from other departments, however, the GRC teams lack the data and insights they need to keep the business compliant.
Unsurprisingly, these teams have a lot more in common than they realize — they all want to be seen as business enablers. And when given the right tools, these teams can work together to communicate and share data more effectively by breaking down barriers (and data silos).
Misconceptions and miscommunications
In the context of a rom-com, the two protagonists often enter the relationship with preconceived notions. In Jane Austen’s “Pride and Prejudice,” Lizzie and Mr. Darcy both assume from brief interactions that the other person is overwhelmingly arrogant or aloof. In fiction, these misconceptions and miscommunications can be humorous. However, in reality, they can get in the way of effective collaboration.
When thinking about the perspectives of your organization’s cast of “characters” or stakeholders, you can see how these different biases can become problematic.
Compliance stakeholders
On the compliance side, GRC teams, chief information security officers (CISOs), and business information security officers (BISOs) often struggle to align their objectives and initiatives with the technical teams. If your business were a movie, these stakeholders might say something like:
“IT and security teams don’t understand business objectives.”
“Senior leadership won’t understand the technical reasons for the risk.”
“Department managers rubber-stamp everything without really looking at it or caring about it.”
“I can’t trust the data these other teams are sharing with me.”
“Cybersecurity awareness training never seems to work.”
Business leaders
Like the other protagonist, business leaders can come in with their own set of preconceived notions. They are responsible for day-to-day activities like sales, marketing, or accounting. Already working on their long deliverables list, these business managers can feel like the compliance stakeholders are adding new tasks unrelated to their key performance metrics. In a movie, these stakeholders might be overheard saying:
“Roles and responsibilities are too confusing!”
“There’s no easy way to show GRC teams I’m compliant.”
“I don’t have clear guidance on how to become more compliant.”
“I don’t know the process owners, and I don’t know who to go to for help.”
Hijinks (or violations?) ensue
In a rom-com, these misconceptions often lead to humorous hijinks where the protagonists find themselves begrudgingly working together. If your internal stakeholders were fictional characters, the miscommunications could simply lead to sarcastic conversations or create plot elements.
Without the right technologies, the teams are collecting and using data, but it remains siloed, which only leads to inconsistencies that fuel their inability to work together. For example, these stakeholders each need similar data but presented in different ways that meet their needs:
Compliance stakeholders: accurate historical and technical data linked to users and devices
Business stakeholders: responsibility and ownership assignments that link to the people they manage
All internal parties need organizational hierarchy data and business logic, but these insights typically sit outside the tools that each stakeholder uses. Without access to accurate data and insights, the different stakeholders continue to speak different languages, leaving them unable to implement and maintain the basic cyber hygiene necessary for compliance and data protection. These misalignments can have costly security and compliance outcomes, like:
Data breaches and security incidents
Fines and penalties
Audit findings
Increased audit costs
Unexpected realization
In every story, the misaligned partners have an aha! moment where they finally see their commonalities and their views shift. In fiction, these usually arise from some plot twist or catalyst event. In business, it may be more subtle.
As the regulatory landscape evolves, miscommunication and misalignment become a recipe for compliance and security disaster as GRC teams, process owners, and business managers become frustrated. In business, no one wants the catalyst event that brings these teams together to be a data breach or compliance violation.
Diverse teams need to see that they share the same goal but view it through different lenses. For example, all stakeholders care about user access, but they need different insights:
GRC teams: data supporting controls that limit user access according to the principle of least privilege
Security analysts: meaningful alerts that provide real-time detections for insider threats, including credential-based attacks
Business managers: ensuring workforce members have enough access to resources to complete their job functions
Most compliance professionals feel an emotion that borders on excitement when they show off their spreadsheets filled with macros, pivot tables, and equations. However, spreadsheets aren’t security or compliance platforms. When organizations can collect and retain the necessary data, they can use analytics effectively, giving all stakeholders access to the data they need while reducing costs. With the right technologies, these stakeholders can collaborate, find their commonalities, and impact revenue by:
Reducing data breach costs with a security-first compliance program that mitigates risk to generate cost savings
Maintaining a robust compliance posture to mitigate compliance risks, like fines and penalties that undermine revenue objectives
Building customer trust through successful audits that accelerate sales pipelines and generate revenue
By leveraging security data lakes and analytics, organizations reduce data retention costs and break down the data silos so that the different internal stakeholders:
Find their commonalities.
Rely on accurate analytics.
Gain real-time, actionable insights.
Better together: Snowflake with DataBee for Continuous Controls Monitoring (CCM)
When compliance teams, process owners, and business managers collaborate and communicate effectively, they reduce audit costs and improve security outcomes. More importantly, they see each other as partners working toward a common business outcome rather than obstacles to meeting key performance indicators (KPIs).
The best relationships are built on a foundation of shared experience where the partners support each other to overcome challenges. A CCM solution that puts data at the center can strengthen all three lines of defense, proving that teamwork really can make the dream work:
Operational managers: accountability with prescriptive guidance to reduce confusion and improve compliance
Risk management: fast, accurate reports driven by current data to eliminate point-in-time compliance and spreadsheets
Internal audit: focusing on higher-level tasks rather than searching for data or sending follow-up emails and requests
DataBee™ from Comcast Technology Solutions brings your teams closer together because it brings them closer to your data. The security, risk, and compliance data fabric platform weaves together dissimilar security and IT data and enriches it with traditionally siloed business details — organizational hierarchy, for example — so that all users have access to actionable insights by creating:
A single source of truth: consistent, accurate, and continuous compliance reporting based on near-real-time data merged from multiple sources, like security tools, human resources’ databases, and asset management technologies
A single pane of glass: all three lines of defense viewing the same data at the same time for easier communication and reporting
With Snowflake, you get a platform that can support a wide range of architectural patterns, including:
Data lake: unlimited storage for versatile data types and workloads
Data lakehouse: transactional data lake for unified analytics, AI/ML, and collaborative workloads
Data mesh or fabric: distributed and governed, domain-oriented collaboration
When brought together with Snowflake, DataBee’s flexible and open architecture addresses your business needs today and allows you to adapt to changing needs in the future.
Learn more about DataBee and Snowflake
Join us on Wednesday, February 28, at 1 pm ET/10 am PT/18:00 GMT for “You, me, and continuous controls monitoring” with Yasmine Abdillahi, Executive Director for Cyber GRC at Comcast, and John Bland, Cybersecurity Data Cloud Principal at Snowflake, moderated by Tom Schneider, GRC Consultant for DataBee.
Read More
The DataBee Hive hits Orlando for the 2024 Gartner® Data & Analytics Summit
In a great blog on bringing digital transformation to cybersecurity, Comcast CISO Noopur Davis wrote, “Data is the currency of the 21st century — it helps you examine the past, react to the present, and predict the future.” Truer words were never written.
No doubt that’s why we think Gartner created the Gartner Data & Analytics Summit — to bring together data and analytics leaders “aspiring to transform their organizations through the power of data, analytics, and AI.”
DataBee™ from Comcast Technology Solutions is all about facilitating that transformation. The DataBee Hive™, a cloud-native security, risk, and compliance data fabric platform, helps organizations transform how they collect, correlate, and enrich data to deliver the deep insights needed to drive efforts to remain competitive, secure, and compliant. It works by connecting disparate data sources and feeds to merge them with an organization’s data and business logic to create a shared and enhanced dataset that delivers continuous compliance assurance, proactive threat detection with near-limitless hunts, and improved AIOps — all while optimizing data costs.
This is why we’re incredibly excited to be participating in the 2024 Gartner Data & Analytics Summit for the first time. We’re looking forward to the conference sessions but even more to engaging with attendees to hear firsthand what their data, analytics, and AI challenges are and to share what we’ve learned on the path to creating the DataBee security data fabric platform.
Below are details on DataBee’s involvement in the conference — please pay us a visit at the show.
Speaking, exhibiting, and giving out the cutest plushie at the show.
The Gartner Data & Analytics Summit takes place March 11‒13, 2024, in Orlando at the Walt Disney World Swan and Dolphin Resort in Lake Buena Vista.
The Comcast Speaking Session
Comcast DataBee: Democratizing AI With a Foundation in Enterprise & Security Data
March 12 at 12:45‒1:05 pm
Location: Theater 4, Exhibit Showcase
Speaker: Rick Rioboli, Executive Vice President & Chief Technology Officer, Comcast Cable
Session description:
For more than a decade, Comcast has incorporated AI into our products and operations, going beyond personalized content to increase customer accessibility and protect against cyberattacks. To keep pace with industry disruptors and drive more AI innovations, Comcast launched AI Everywhere. The initiative aims to reduce friction when developing safe, secure, and scalable AI solutions throughout the business. Part of that is getting data AI-ready.
Join this session to learn three key components of bringing AI to more people and how combining security data can drive more value across the enterprise.
DataBee exhibit
Be sure to visit the Comcast Technology Solutions DataBee exhibit. We can be found in Booth 618, in the Data Management Tools and Technology Village. We’ll have some of our top “bees” on hand to talk data, analytics, AI, and how a security data fabric platform can help you connect security and compliance data for insights that work for everyone in your organization.
Plus, who doesn’t love a cute plushie to take home? We’ll be giving these away at our booth.
To learn more about DataBee in just a few short minutes, check out this quick and fun explainer video or download the DataBee Hive datasheet.
If you’d like to schedule a specific time to meet during the event, we’d love it. Contact us, and we’ll follow up right away to book a time.
We hope to see you in Orlando!
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. While Gartner is hosting the Gartner Conference, Gartner is not in any way affiliated with Exhibiting Company or this promotion, the selection of winners or the distribution of prizes. Gartner disclaims all responsibility for any claims that may arise hereunder.
Read More
3 Hot Takes on Cybersecurity: SIEMs, GenAI, and more
Missed our Cybersecurity Hot Takes webinar? Lucky for you, you can watch the on-demand recording now!
We dived into cybersecurity’s burning questions with Roland Cloutier, former CISO at Tiktok and ADP, Edward Asiedu, Senior Principal of Cybersecurity Solutions at DataBee, and Amy Heng, Director of Product Marketing at DataBee™. They shared their hot takes and insights related to tools, data, and people in the cybersecurity landscape. As they indulged in hot wings, the discussions ranged from the relevance of Security Information and Event Management (SIEM) tools to the transformative potential of Generative Artificial Intelligence (Gen AI).
Here’s what can expect to learn more about:
The Decline of SIEM Tools: Roland predicted the decline of traditional SIEM tools. He argued that the current SIEM solutions are becoming obsolete due to the evolving nature of cybersecurity. The complexity of cyber risks and privacy issues demands a more sophisticated approach that goes beyond the capabilities of conventional SIEM tools. Instead, Roland emphasized the need for a data fabric platform to fill the void left by traditional SIEMs.
Vendor-Specific Query Languages: To Learn or Not to Learn? Edward highlighted the drawbacks of forcing engineers to learn multiple query languages for different security tools. Both Edward and Roland expressed a preference for standardized approaches like SQL or Sigma rules, which makes detecting threats faster and closing the cybersecurity skills gap.
Gen AI and how to operationalize it for cybersecurity: Gen-AI is a rising start in the cybersecurity landscape. Contrary to the fear of a robot revolution, Roland envisioned Gen AI as a powerful tool for enhancing security risk and privacy operations. He emphasized its potential to automate tasks such as incident response, analytics, and investigation, significantly reducing the time and resources required for these activities.
Besides the hot wings being spicier with each question, it’s clear that the cybersecurity landscape is evolving rapidly. Traditional tools like SIEM are on the decline, making way for more adaptable solutions that bring security data insights to more people. The shift towards standardized query languages and the integration of AI, particularly Gen AI, promises a future where cybersecurity operations are more efficient, automated, and capable of handling the ever-growing volume of data.
Why not hear more hot takes? Catch the webinar on-demand today.
Read More
Squeaky Clean: Security Hygiene with DataBee
Enterprises have an ever-growing asset and user population. As organizations become more complex thanks to innovation in technology, it becomes increasingly difficult to track all assets in the environment. It's difficult to secure a user or device you may not be aware of. DataBee can augment and complement your configuration management database (CMDB) by enhancing the accuracy, relevance, and usability of your asset, device, and user inventory, unlocking 3 primary use cases for security teams:
Security Hygiene
Owner & Asset Discovery
Insider Threat Hunting
Security Hygiene
DataBee for Security Hygiene can help deliver more accurate insights into the assets in your environment while automatically keeping your asset inventory up-to-date and contextualized. Bringing more clarity about your users and devices in your environment, enables your business to enhance its security coverage, reduces manual processes, increases alerts’ accuracy, and more rapidly responds to incidents.
Security hygiene uses entity resolution, a patent pending technology from Comcast, to create a unique identifier from a single data source or across multiple data sources that refer to the same real-world entity, such as a user or device. This technique is performed by DataBee helps reduce the manual entity correlation efforts by analysts, and the unique identifiers can be used to discover assets and suggest missing owners.
DataBee supports ingestion from multiple data sources to help keep your security hygiene in check, including a variety of traditional sources for asset management such as your CMDB, directory services, and vulnerability scanner. It also can learn about your users and devices from non-traditional data sources such as network traffic, authentication logs, and other data streamed through DataBee that contains a reference to a user or device.
DataBee can also be used to exclude data sources and feeds from entity resolution that provide little fidelity for entity-related context and support feed source prioritizations. These inputs are used when there is collision or conflicting information. For example, if a device is first seen in network traffic, preliminary information about the device will be added to DataBee such as the hostname and IP. Another example is when your CMDB updates a device’s IP. DataBee will use this update to overwrite the associated IP if the CMDB feed is prioritized over the network traffic information.
Owner and Asset Discovery
Organizations often struggle to assign responsibility for resolving security issues on assets or devices, many times due to unclear ownership caused by gaps in the asset management process, such as Shadow IT and orphaned devices. DataBee can provide a starting point to identifying and validating the owner of a device. When a new device is discovered or the owner is not indicated in CMDB, DataBee will leverage the events streaming through the platform to make a suggestion of the potential owners of the asset. The system tracks who logs into the device for seven days after discovery and uses statistical analysis to suggest up to the three most likely owners.
The Potential Owners are listed in the Entity Details section of the Entity View page that can be expanded to quickly validate the ownership. Once security analysts are able to validate the owner, the system of record can be updated and DataBee will receive the update.
As organizations become more complex thanks to innovation in technology, it can become increasingly difficult to track all assets in the environment. DataBee provides User and Device tables to supplement existing tools. Orphaned assets remain unknown and often unpatched, creating unmonitored levels of increasing risk. Shadow IT is a growing problem as more cloud-based solutions become easily accessible. Entity resolution maintains an inventory of known assets in your organization. This enables continuous discovery of assets that would otherwise slip through the cracks based on events streamed through DataBee.
Insider Threat Hunting
Insider threats are people, such as employees or contractors, with authorized access to or knowledge of an organization’s resources, that can cause potential harm arising from purposeful or accidental misuse of authorized user access. This can have negative effects on the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. Insider threats are often able to hide in plain sight for many reasons. There is complexity in cross-correlating logs of an individual's activities across various tools and products. Further, the data is siloed, making it difficult for security analysts to see the full picture. DataBee’s security, risk, and compliance data fabric platform weaves together events as they stream through the business context needed to identify insider threats.
DataBee leverages entity resolution to create an authoritative and unique entity ID using data from across your environment that is mapped to real people and devices to enable hunting for insider threats in your organization. Entity resolution aggregates information from multiple data sources, merges duplicate entries, and suggests potential owners for devices and assets. By correlating and enriching the data before storing it in your data lake, DataBee creates an entity timeline, associating each event with the correct entity at the time of its activity.
These views enable insider threat hunting by allowing security analysts to see the activities conducted by a user and the related business context in a single view to identify potential malicious behavior. The interactive user experience is intended to make leveraging the Open CyberSecurity Framework (OCSF) formatted logs more accessible to all security professionals. Within the Event Timeline, security analysts can filter the events based on type to focus investigations. Clicking on the event will show the mission critical fields needed to decide if the event is interesting. Clicking on the magnifying glass icon allows you to inspect the full event. DataBee enables one-click pivoting to related entities to simplify diving deeper into the investigation. The views are powered by the data in the data lake. Therefore, the data is available in OCSF format for threat hunters to continue their investigations in traditional tools like Jupyter notebooks to meet hunters where they are with their data.
Take a look under the hood of DataBee v2.0 and DataBee for Security Hygiene
Are you ready for an enterprise-ready security, risk, and compliance data fabric? Request a custom demo to see how DataBee uses a unique identifier that can be used to augments your CMDB and help deliver more accurate insights into the assets in your environment.
Read More
Finding security threats with DataBee from Comcast Technology Solutions
Last week, DataBee™ announced the general availability of DataBee v2.0. Alongside a new strategic technology partnership with Databricks, we released new cybersecurity and Payment Card Industry Data Security Standard (PCI DSS) 4.0 reporting capabilities.
In this blog, we’ll dive into the new security threat use cases that you can unlock with a security, risk, and compliance data fabric platform.
DataBee for security practitioners and analysts
In security operations, detecting incidents in a security information and event management (SIEM) tool is often described as looking for a needle in a haystack of logs. Another fun (or not-so-fun) SIEM metaphor is a leaky bucket.
In an ideal world, all security events and logs would be ingested, parsed, normalized, and enriched into the SIEM, and then the events would be cross-correlated using advanced analytics. Basically, logs stream into your bucket and the SIEM, and all the breaches would be detected.
In reality, there are holes in the bucket that allow for undetected breaches to persist. SIEMs can be difficult to manage and maintain. Organization-level customizations, combined with unique and ever-changing vendor formats, can lead to detection gaps between tools and missed opportunities to avert incidents. Additionally, for cost-conscious organizations, there are often trade-offs for high-volume sources that leave analysts unable to tap into valuable insights. All these small holes add up.
What if we could make the security value of data more accessible and understandable to security professionals of all levels? DataBee makes security data a shared language. As a cloud-native security, risk, and compliance data fabric platform, DataBee engages early in the data pipeline to ingest data from any source, then enriches, correlates, and normalizes it to an extended version of the Open Cybersecurity Schema Framework (OCSF) to your data lake for long-term storage and your SIEM for advanced analytics.
Revisiting the haystack metaphor, if hay can be removed from the stack, a SIEM will be more efficient and effective at finding needles. With DataBee, enterprises can efficiently divert data, the “hay,” from an often otherwise cost-prohibitive and overwhelmed SIEM. This enables enterprises to manage costs and improve the performance of mission-critical analytics in the SIEM. DataBee uses active detection streams to complement the SIEM, identifying threats through vendor-agnostic Sigma rules and detections. Detections are streamed with necessary business context to a SIEM, SOAR, or data lake. DataBee takes to market a platform inspired by security analysts to tackle use cases that large enterprises have long struggled with, such as:
SIEM cost optimization
Standardized detection coverage
Operationalizing security findings
SIEM cost optimization
Active detection streams from DataBee provide an easy-to-deploy solution that enables security teams to send their “needles” to their SIEM and their “hay” to a more cost-effective data lake. Data that would often otherwise be discarded can now be analyzed enroute. Enterprises need only retain the active detection stream findings and security logs needed for advanced analytics and reporting in the SIEM. By removing the “hay,” enterprises can reduce their SIEM operating costs.
The optimized cloud architecture enables security organizations to gain insights into logs that are too high volume or contain limited context to leverage in the SIEM. For example, DNS logs are often considered too verbose to store in the SIEM. They contain a high volume of low-value logs due to limited information retained in each event. The limited information makes the DNS logs difficult to cross-correlate with the disparate data sources needed to validate a security incident.
Another great log source example is Windows Event Logs. There are hundreds of validated open-source Sigma detections for Windows Event Logs to identify all kinds of malicious and suspicious behavior. Leveraging these detections has traditionally been difficult due to the scale required both for the number of detections and volume of data to compare it to. With DataBee’s cloud-native active detection streams, the analytics are applied as the data is normalized and enriched, allowing security teams new insights into the potential risks facing their organization. DataBee’s power and scale complement the SIEM’s capabilities, plugging some of the holes in our leaky bucket.
Analyst fatigue can be lessened by suppressing security findings for users or devices that can reduce reliability of a finding. With DataBee’s suppression capability, you can filter and take actions on security findings based on the situation. Selecting “Drop” for the action ignores the event, which is ideal for events that are known to be false positive in the organization. Alternatively, applying an “Informational” action reduces the severity and risk level of the finding to Info, still allowing the finding to be tracked for historical purposes. The Informational level is perfect for tuning that requires auditability long term. The scheduling option uses an innovative approach that gives you a way to account for recurring known events like change windows that might fire alerts or additional issues that could lead to false positives.
By applying the analytics and tuning to the enriched logs as they are streamed to more cost-effective long-term storage in the data lake, security teams can detect malicious behavior like PowerShell activity or DNS tunneling. Additionally, DataBee’s Entity Resolution not only enriches the logs but learns more about your organization from them, discovering assets that may be untracked or unknown in your network.
Standardized detection coverage
With the ever-evolving threat landscape, detection content is constantly updated to stay relevant. As such, security organizations have taken on more of a key role in content management between solutions. Compounded by the popularization of Sigma-formatted detections with both security researchers and vendors, many large enterprises are beginning their journey to migrate existing custom detections to open-source formats managed via GitHub. Sigma detection rules are imported and managed via GitHub to DataBee to quickly operationalize detection content. Security organizations can centralize and standardize content management for all security solutions, not just DataBee.
Active detection streams apply Sigma rules, an open-source signature format, over security data that is mapped to a DataBee-extended version of OCSF to integrate into the existing security ecosystem with minimal customizations. DataBee handles the translation from Sigma to OCSF to help lower the level of effort needed to adopt and support organizations on their journey to vendor-agnostic security operations. With Sigma-formatted detections leveraging OCSF in DataBee, organizations can swap out security vendors without needing to update log parsers or security detection content.
Operationalizing security findings
One of DataBee’s core principles is to meet you where you are with your data. The intent is to integrate into your existing workflows and tools and avoid amplifying the “swivel chair” effect that plagues every security analyst. In keeping with the vendor-agnostic approach, DataBee security findings generated by active detection streams can be output in OCSF format to S3 buckets. This format can be configured for ingestion to immediate use in major SIEM providers.
Leveraging active detection streams with Entity Resolution in DataBee enables organizations to identify threats with vendor-agnostic detections with all the necessary business context as the data streams toward its destination. DataBee used in conjunction with the SIEM allows security teams visibility out of the box into potential risks facing their organization without the noise.
Read More
DataBee and Databricks: Business-ready datasets for security, risk, and compliance
In today's fast-paced and data-driven world, businesses are constantly seeking ways to gain a competitive edge. One of the most valuable assets these businesses have is their data. By analyzing and deriving insights from their data, organizations can make informed decisions, manage organizational compliance, optimize resource allocation, and improve operational efficiency.
Better together: DataBee and Databricks
As part of DataBee™ v2.0, we’re excited to announce a strategic partnership with Databricks that gives customers the flexibility to integrate with their data lake of choice.
DataBee is a security, risk, and compliance data fabric platform that transforms raw data into analysis-ready datasets, streamlining data analysis workflows, ensuring data quality and integrity, and fast-tracking organizations’ data lake development. In the medallion architecture, businesses and agencies organize their data in an incremental and progressive flow that allows them to achieve multiple advanced outcomes with their data. From the bronze layer, where raw data lands as is, to the silver layer, where data is minimally cleansed for some analytics, to the gold layer, where advanced analytics and models can be run on data for outcomes across the organization, let DataBee and Databricks get your data to gold.
In the past, creating gold-level datasets was a challenging and time-consuming process. Extracting valuable insights from raw data required extensive manual effort and expertise in data aggregation, transformation, and validation. Organizations had to invest significant resources in developing custom data processing pipelines and dealing with the complexities of handling large volumes of data. Lastly, legacy systems and traditional data processing tools struggled to keep up with the demands of big data analytics, resulting in slow and inefficient data preparation workflows. This hindered organizations' ability to derive timely insights from their data and make informed decisions.
DataBee's integration with Databricks empowers customers to take their gold-level datasets up a notch by leveraging advanced data transformation capabilities and sophisticated machine learning algorithms within Databricks. Regardless of whether the data is structured, semistructured, or unstructured, Databricks' unique lakehouse architecture provides organizations with a robust and scalable infrastructure to store and manage vast amounts of data and insights in SQL and non-SQL formats. The lakehouse architecture from Databricks allows businesses to leverage the flexibility of a data lake and the analysis efficiency of a data warehouse in a unified platform.
The integration between DataBee and Databricks involves two key components: the Databricks Unity Catalog and the Auto Loader job.
The Databricks Unity Catalog is a unified governance solution for data and AI assets within Databricks that serves as a centralized location for managing data and its access.
The Auto Loader automates the process of loading data from Unity Catalog-governed sources to the Delta Lake tables within Databricks. The Auto Loader job monitors the data source for new or updated data and copies it to the appropriate Delta Lake tables. This ensures that the data is always up to date and readily available for analysis within Databricks. When integrating DataBee with Databricks, the data is loaded from the Databricks Unity Catalog data source using the Auto Loader, ensuring that it is easily accessible and can be leveraged for analysis.
This seamless integration, combined with DataBee's support for major cloud platforms like AWS, Google Cloud, and Microsoft Azure, enables organizations to easily deploy and operate Databricks and DataBee in their preferred cloud environment, ensuring efficient data processing and analysis workflows.
Connecting security, risk, and compliance insights faster with DataBee
It’s time to start leveraging your security, risk, and compliance data with DataBee and Databricks.
DataBee joins large security and IT datasets and feeds close to the source, correlating with organizational data such as asset and user details and internal policies before normalizing it to the Open Cybersecurity Schema Framework (OCSF). The resulting integrated, time-series dataset is sent to the Databricks Data Intelligence Platform where it can be retained and accessible for an extended period. Empower your organization with DataBee and Databricks and stay ahead of the curve in the era of data-driven decision-making.
Read More