The Power of a Common Data Schema

The Power of a Common Data Schema

Communication is challenging. Much of the technology that we value today derives its place in the world today because of how it has changed our ability to communicate. The medium continues to evolve, but the drive to share in and outside of our tribe remains the same. Many of the security problems that we face today exist because we struggle to communicate their importance to those around us.

This problem doesn’t only exist as we seek to convey understanding outside of our teams but also internally. If we come from an Application Security or Red Team background we attempt to communicate through testing frameworks and methodologies. We focus on stories about threats, risk and vulnerability. We try to add clarity by using common taxonomies like STRIDE and DREAD or through CVE and CWE attributes. But even then the story may never live long enough to make it out outside of our team let alone to a business unit. Blue team defenders tell stories about threat actors and adversary’s through kill-chain models, IOCs (Indicators of Compromise) and TTPs (Tactics, Techniques and Procedures). The stories are often interesting and fun to hear about but then tough to turn into strategic information that can be leveraged by an organization for change.

We have never had more data, especially related to security, why then do we continue to see more and more cyber security incidents? Why do these data filled stories seem to consistently fail to drive change? Inevitably these data diatribes result in the following question: So what?

Data alone doesn’t convey meaning. Data supports an assertion but context is necessary for data to have value. Why then is context so difficult? Adding context often requires expertise and institutional awareness, both of which are tough to come by. So how can we add context without bogging down our most precious resources… We can choose a common lexicon or taxonomy, this is more important than any dashboard or single-pain-of-glass fantasy we may have. Ironically, a common language makes meaningful dashboards much more doable.

There are many great schema’s that exist for the use by security practitioners. Splunk’s use of the Common Information Model (CIM) or Elastic’s Elastic Common Schema (ECS) are great examples of ways to easily provide a common dialect for our data conversations. The particular taxonomy matters less than its ability to be easily adapted to our environments. In later posts we will look at how this commonality in our data will aid in turning information into intelligence. Using this intelligence we can efficiently drive change and enable our organizations to take more risk where it will benefit them most.