As we've previously written, data enrichment is a process of augmenting existing yet incomplete data with additional data typically taken from external sources or apps. As large enterprises typically deploy dozens if not hundreds of separate apps, sec ops teams often have to rely on data from multiple sources in order to have the complete picture of potential threats and the ability to act sooner.
But what does this mean in the real world? Why are security operators turning towards data enrichment and the ways to automate the process more than ever before?
In 2015, Mark Allen and Dalton Cervo wrote that "data enrichment must serve a business purpose." That is to say, that the process of enriching your data isn't simply to improve systems management but it must have an end goal - and preferably an actionable one at that.
In more mundane situations, data enrichment can help facilitate basic operations and decision making at a variety of businesses. Ecommerce, for instance, has been relying on data enrichment automation for years in a variety of manners - such as bridging client data for marketing campaigns or when forwarding order details to dropshippers or warehouse staff.
However, arguably the most valuable uses for data enrichment in 2022 revolve around cybersecurity. As virtually every recent study has called attention to the rise in cyberthreats that show no sign of slowing down, keeping your enterprise's data safe has become more pressing than ever before - and data enrichment through automation is one of the key ways of doing so.
Of course, while keeping your enterprise's data safe is a valuable goal, it may be too vague to be actionable. Instead, the better course of action is to segment this business goal into smaller goals that are both more immediate and tangible.
One way of keeping your data safe is to empower your sec ops teams by reducing their time to respond to security alerts and potential threats. As you probably keep logs on average response times and numbers of tickets fielded each day, you can easily quantify the statistics on their current tasks and set targets to reach.
Let’s look at a hypothetical security team. At present, your operators likely rely on a case management platform but some of the contextual fields are often empty when being reviewed. The data exists, however, it has to be retrieved from additional apps. On average, with manually cross-referencing various apps, it takes your operators an additional 5 minutes to evaluate every case.
In this situation, automation rules can be set up to enrich the data your operators use in their case management platform by automatically pulling additional details from secondary apps so that when each case comes to their desk it already has the additional contextual data filled in.
For instance, depending on your setup, automation may be needed to combine specific information about user IP address, user credentials, machine, time stamp, number of entry attempts, past flags, and any other piece of contextual data your apps store. Not having your team log into multiple platforms to compare or match data saves valuable minutes each time a case is generated and allows them to act faster.
Overall, this is just one of the many ways that data enrichment can contribute to your business's security. There are of course many more use cases, depending on your setup. Perhaps the next exercise you might want to attempt is to list all tickets, cases, automated emails, etc. that your business deploys and list the ways the information in each one could be more complete.
Considering venturing into security automation and building data enrichment processes? Metron has experience integrating multiple SOAR platforms and building custom playbooks that rely on automation.
If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to firstname.lastname@example.org.