Seeing the big (security insights) picture with DataBee

The evolution of digital photography mimics the changes that many enterprise organizations face when trying to understand their cybersecurity controls and compliance posture. Since the late 1990s, technology has transformed photograph development from an analog, manual process into a digital, automated field. These images hold our memories, storing points in time that we can look back on and learn from. Cybersecurity, in turn, is experiencing a similar transformation. 

When you consider the enterprise data pipeline problem that DataBee™ from Comcast Technology Solutions aims to solve through the everyday lens of creating, storing, managing, and retrieving personal photos, the platform’s evolutionary process and value makes more sense.  

Too many technologies generating too much historical data 

Portable, disposable Kodak cameras were all the rage in the 1990’s; but it could be days or weeks before you could see what you snapped because films needed to be sent for processing.  

Over the 2000s, however, these processes increasingly turned digital, accelerating results dramatically. While high-quality, professional-grade digital cameras aren’t in danger of becoming obsolete, once cell phones with integrated cameras hit the market, they became an easy on-the-go way to capture life’s historical moments even though the picture might not develop until days, weeks, or maybe never as they’re left on the roll of film. Today, people use their smartphone devices lending even more depth and quality as we capture from family gatherings to vacation selfies instantly.

At Comcast, we faced a similar enterprise technology and security data problem. Just as people handle different kinds of images and the technologies that produce them, we have vast amounts of technologies that generate security data. It’s a fragmented, complicated environment that needs to handle rapidly expanding data.  

Across the enterprise, Comcast stores and accesses increasingly larger amounts of data, including: 

• 8000 month-by-month scans 

• 1.7 million IPS targeted monthly for vulnerability scanning 

• 7 multiple clouds or hybrid cloud environment 

• 10 petabytes worth of data in our cybersecurity data lake 

• 109 billion monthly application transactions 

Finding the right moment in time 

Let’s play out a scenario: You let your friend in on a stage in your life where you had bright red hair. Their response? “Pics or it didn’t happen.” To track down the historic photo, it takes immense effort to: 

1. Figure out the key context about where and when it was captured. 

2. Find the source of where the photo could be – is it in a hard drive? A cloud photo album? A tagged image in your social media profile? 

3. Identify the exact photo you need within the source (especially if it is not labeled). 

Comcast faced a similar data organization and correlation problem in their audits and their threat hunting. While we were drowning in data, we found that at the same time we were starved for insights.  We were trying to connect relevant data to help build a timeline of activity of a user or device but as the data kept growing and security tools kept changing, we found data was incomplete or took weeks' worth of work to normalize and correlate data.  

We faced many challenges when trying to answer questions and fractured data sources compounded this problem. Some questions we were asking were – do all the employees have their EDR solution enabled? Is there a user with the highest number of security severities associated to them across all their devices? And on answering these questions quickly and accurately, such as: 

• People maintaining spreadsheets that become outdated as soon as they’re pulled.  

• People building Power BI or Tableau reports without having all the necessary data.  

• Reports that could only be accessed from inside an applications console, limiting the ability to connect them to other meaningful security telemetry and data.  

Auditing complex questions can be unexpectedly expensive and time consuming because data is scattered across vast, siloed datasets. 

Getting security insights 

Going back to the scenario where pictures are stored on all these disparate devices, it initially seems like a reasonable solution to just consolidate everything on an external hard drive. But, to do that, you must know each device’s operating system and how to transfer the images over. They differ in file size, filetype, image quality, and naming convention. While one camera dates a photo as “Saturday January 1, 2000,” another uses “1 January 2000.” In some cases, the images contain more specific data, like hour, minute, and second. Consolidating the pictures in cloud-based storage platforms only solves the storage issues – you still have to manage the different file formats and attached metadata to organize them by the actual date a picture was taken rather than date a batch of photos were uploaded.  

Translating this to the security data problem, many organizations find that they have too much data, in too many places, created at too many different times. And said data are in different file types, unique formats, and other proprietary ways of saying the same thing. Consolidating and sorting data becomes chaotic.  

As a security, risk, and compliance data fabric platform, DataBee ingests, standardizes, and transforms the data generated by these different security and IT technologies into a single, connected dataset that’s ready for security and compliance insights. This is surprisingly like adding a picture to your “Favorite” folder for easy access. Organizations need to accurately and quickly answer questions about their security and compliance.  

The objective at Comcast was to solve the challenge of incomplete and inaccurate insights caused by siloed data stores. DataBee provides the different security data consumers access to analytics-derived insights. The end result enables consistent, data-driven decision making across teams that need accurate information about data security and compliance, including: 

• Chief Information Security Officer (CISO) 

• Chief Information Officer (CIO) 

• Chief Technology Officer (CTO) 

• Chief Data Officer (CDO) 

• Governance, Risk, and Compliance (GRC) function 

• Business Information Security Officer (BISO) 

While those people need the insights derived from the platform, we also recognized that the regular users would inhabit many roles: 

• Threat hunters 

• Data engineers 

• Data scientists 

• Security analytics and engineering teams 

To achieve objectives, we started looking at the underlying issue - the data, its quality, and its accessibility. At its core, DataBee delivers ready-to-use content and is a transformation engine that ingests, autoparses, normalizes, and enriches security data with business context. DataBee’s ability to normalize the data and land it in a data lake enables organizations to use their existing business intelligence (BI) tools, like Tableau and Power BI, to leverage analytics and create visualizations.  

Transforming data creates a common “language” across: 

• IT tools 

• Asset data 

• Organizational hierarchy data  

Security semantics aren’t easy to learn – it can take years of hands-on knowledge on a variety of toolsets. DataBee has the advantage of leveraging learnings from Comcast to create proprietary technology that parses security data, mapping columns and values to references in the Open Cybersecurity Framework (OCSF) schema while also extending that schema to fill in currently existing gaps. 

Between our internal learnings and working with customers, DataBee delivers pre-built dashboards that accelerate the security data maturity journey. Meanwhile, customers who already have dashboards can still use them for their purposes. For example, continuous controls monitoring (CCM) dashboards aligned to the Payment Card Industry Data Security Standard (PCI DSS) and National Institute of Technology and Standards Cybersecurity Framework (NIST CSF) offer a “quick start” for compliance insights.  

DataBee can help customers achieve various security, compliance, and operational benefits, including: 

• Reduced security data storage costs by using the Snowflake and Databricks 

• Gaining insights and economic value by leveraging a time-series dataset  

• Real-time active detection streams with Sigma rules that optimize SIEM performance 

• Asset discovery and inventory enrichment to identify and suggest appropriate ownership  

Weave together data for security and compliance with DataBee 

Want to see DataBee in action and how we can help you supercharge your security, operations, and compliance initiatives? Request a custom demo today.