By Sean Duca, Regional CSO, Palo Alto Networks\n\n\n\nIn recent years, organizations of all sizes have been collecting increasing volumes of traffic and application telemetry data from different devices, logs, and services. Much of it is leveraged to inform operational and strategic decisions. However, this same data also has the potential to significantly strengthen an organization\u2019s security posture\u2014but only if it\u2019s processed and used effectively.\n\nTo strengthen cybersecurity, there is plenty of data that organizations can and do collect to understand what\u2019s happening inside their environments. It comes from log files, system events, network traffic, applications, threat detection systems, intelligence feeds, and myriad other sources. However, the sheer volume of this data can pose a significant challenge as organizations look to extract value from what they\u2019re gathering to inform security policy, threat detection and risk mitigation.\n\nIf your systems can\u2019t process the data you collect, they won\u2019t be able to make sense out of it and correlate what\u2019s going on. In that case, you\u2019re really just sitting on some dead logs. Adding to this challenge is the fact that collected data is often siloed in ways that can keep a security professional from connecting the dots to identify potential issues. Analysts should not have to look at 25 different screens trying to make manual connections, which takes additional time and effort that distracts from the primary goal of actually identifying threats.\n\nAs an industry, cybersecurity created this world where there are so many different point solutions out there that organizations have been effectively forced into becoming plumbers, connecting all these different solutions together. I think it\u2019s time that we start to think about how we find a way that\u2019s more automated and integrated because a lot of the tools that people are using were never designed to interoperate and work together.\n\nExtracting greater value from data with automation and playbooks\n\nCollecting the right data and extracting the highest value from it is not a single task or operation. Rather it\u2019s a journey that involves multiple components.\n\nTechnology. From a technology standpoint, have a look at what you\u2019ve actually got. For starters, are the tools capable of identifying modern threats? If they are not, then you\u2019ve got a challenge there because you\u2019re likely not going to be collecting any logs and telemetry to make an informed decision.\n\nAutomation also plays a critical role in extracting more value from data. With the volume of data that is being collected, even if it\u2019s all the right data, individual humans simply cannot keep up. Automating the identification of higher value incidents from data that correlates and enriches simple log data and provides insight is a critical component.\n\nPeople. Automation ties in directly with the people\u2019s perspective on getting the most value out of data. Many organizations have security operations centers (SOCs) staffed with IT professionals working eight-hour rolling shifts, clicking on refresh all the time and simply chasing the logs. That\u2019s not really going to help them find anything.\n\nAdding further insult to injury, the first line of defense and analysis for data is typically a level-one analyst, who often will burn out within a year after the monotony of sifting through endless logs and deciding what needed to be escalated. Think about the logic: The least experienced and lowest paid person, is actually making a call to escalate an incident to a more senior person. It doesn\u2019t make sense, and it\u2019s time to change the model.\n\nWhen automation is leveraged to handle the deluge of data, becoming the first line of the decision on what needs to be escalated, human talent can focus on the more intricate challenges like threat hunting. The easier a threat hunter\u2019s life\u2014where we can start to link all the disparate data sources to help chase potential risks, rather than just having to sift through alerts and large logs\u2014the better.\n\nProcess. Finally, process is the key to continuous improvement and always optimizing the value from data. We need to go back to the drawing board all the time and keep on refining the data and technology that\u2019s already in place. Organizations need to keep on creating playbooks to help aid automation. Anything that\u2019s a repeatable task, organizations should be automating as much as possible.\n\nWith all the sources of security data available to the modern enterprise, it can be overwhelming to figure out what to do. By first understanding what security data sources the organization has, streamlining processes with automation and playbooks, and tying things together with technology to create a unified view, it\u2019s possible to dramatically improve security outcomes.\n\n\n\nTo learn more, visit us here.\n\n\n\n About Sean Duca:\n\nSean is vice president and regional chief security officer for Asia Pacific and Japan at Palo Alto Networks. In this role, Sean spearheads the development of thought leadership, threat intelligence and security best practices for the cybersecurity community and business executives. With more than 20 years of experience in the IT and security industry, he acts as a trusted advisor to organisations across the region and helping them improve their security postures and align security strategically with business initiatives.Prior to joining Palo Alto Networks, he spent 15 years in a variety of roles at Intel Security (McAfee), with his last position as the Chief Technology Officer for Asia Pacific. Before this, Sean was involved in software development, technical support and consulting services for a range of Internet security solutions.