Use data to tighten your IT security posture, says expert

CISOs might feel overwhelmed, facing cyber threats from every direction and tight budgets. But a recent paper from a Microsoft Corp. security architect argues a data-driven security defence plan will help focus their efforts on the biggest and most likely threats.

The paper by Roger Grimes, released earlier this year and updated this month, says many of the problems infosec pros face are due to inaccurate risk ranking, poor communications, and uncoordinated, slow, ineffectual responses.

Instead, “using a computer security defense model driven by data, every employee would know the top root cause threats that are most successfully exploiting the organization’s security,” Grimes writes. “There would be no guessing; everyone could point to the top threats to the company’s computer systems. With a data-driven computer security defense, the IT team would actively collect threat intelligence and appropriately rank the risk to the company of the most likely and critical threats. It would then focus resources on the biggest threats with senior management involvement and approval, and use metrics to track success.

“The ultimate outcome is a lower number of exploitations and lower computer security risk to the organization. When a new threat emerges, the organization is on top of it from the start, measuring the company’s own rate of exploitation from the threat. It is a continuous, faster cycle of alertness, mitigation, and reduction.”

Briefly, the plan involves six steps:

  • collecting better and localized threat intelligence;
  • ranking risk appropriately;
  • creating a communications plan that efficiently conveys the greatest risk threats to everyone in the organization
  • defining and collecting metrics;
  • defining and selecting defenses ranked by risk;
  • and reviewing and improving the defense plan as needed.

The paper also provides advice that infosec pros may need to be reminded of as they gather internal and external threat data: A critical vulnerability is not necessarily a critical risk. The security team has to ask what is the likelihood of a vulnerability being successfully used to access valuable data.

“Criticality and risk is not something you should readily accept from someone else’s data and pronouncements. External parties do not understand what defenses and mitigations are already deployed in your environment that will offset particular vulnerabilities, even if they exist.”

Grimes also notes that in today’s threat environment, unpatched software and social engineering threats are among the two biggest threats to most organizations. Instead, most companies tend to focus on other defense activities—such as two-factor authentication, intrusion detection systems, and firewalls. “While good to implement, they do not directly address the biggest initial compromise root cause vectors. If the biggest problems are not corrected, then other defenses will most likely be inadequate at stopping the highest risk attacks.”

In data-driven computer defence the fact that unpatched software and social engineering are the biggest threats would be confirmed against the enterprise’s actual experience, the paper argues. If confirmed, this would be communicated to all stakeholders. Senior management would then (hopefully) assign the necessary resources to combat the top threats.

Grimes also advises CISOs to make sure they implement defences that will directly and immediately reduce the most critical and most likely threats. For example, he writes, stronger authentication and intrusion detection rarely stop an attacker that has gained a password hash. He also advises precedence be given to defenses that stop initial compromises, such as restricting administration privleges.

“The measure of success of a data- and relevancy-driven computer security defense is fewer high-risk compromises and faster responses to successful compromises,” he concludes.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now