When it comes to cybersecurity analysis, context is critical. A vast amount of information is available to help security systems make automated decisions and to allow analysts to quickly triage security events. This can boost defenses and improve the efficiency of security teams. Recognizing this, cybersecurity vendors are now integrating new elements of data context directly into their products.
Context becomes even more crucial in organizations pursuing a secure access service edge (SASE) approach to networking. SASE recognizes that users no longer all sit in a central office but instead work in a variety of places, including at an office, from home or while traveling. SASE solutions combine a set of cloud-based security services to apply dynamic policies to individuals based on the specific circumstances of each event. The more context available to a SASE system, the better the decisions it can make.
To help understand the role that data context plays in cybersecurity, imagine that security systems detect a user uploading a file into a cloud-based file-sharing service. With only that information, it’s difficult for an automated system, or even a human analyst, to draw any conclusions. Taking any action to address this situation requires further investigation. An analyst would need to determine the role of the user in the organization, the type of file being shared and details about the business need for that user to have that information. That’s time-consuming work, and false alarms could easily distract analysts from other critical situations.
Making Better Security Decisions
Take that same scenario and imagine how it might play out with additional context added into the equation. By correlating information from identity and access management solutions, network devices, endpoints and other data sources, we might find answers to many other questions as well:
- Who was the user who uploaded the file?
- What is this user’s role in the organization?
- Where was the user located when the transfer was made?
- What type of information was contained in the file?
- With whom was the file shared?
- What time of day did the transfer take place?
- Is this normal behavior for this user?
- Did the user engage in any other abnormal behavior around the same time as this file transfer?
With this information, both automated systems and analysts can make better decisions. The organization’s SASE platform might be able to dismiss a large number of initial alerts when the broader contextual information matches normal patterns of behavior. This allows security professionals to zero in on the most critical alerts and focus their time on the events that pose the greatest potential risk to the organization.
Organizations planning new SASE deployments should consider the contextual information available to them and ensure that the platforms they select are capable of incorporating as much of that information as possible. Existing SASE users should periodically survey the capabilities of their platform and the potential information sources available to them and build in new integrations when opportunities present themselves. The more data context we can add to our cybersecurity systems, the more effective we will be at protecting our systems and information from attack.