Data security is increasingly under threat inside the enterprise amid three converging forces: the proliferation of cloud tools and platforms; the many different types of data that they generate, and the need to correlate all of it for analytics.
While cloud platforms are the critical infrastructure for how technology teams scale and operate today, many companies still don’t have a clear or complete view of all their digital assets in this emerging environment. Advanced enterprise search capabilities, however, can eliminate blind spots and add an important layer of cybersecurity.
“Today, enterprises need to be able to query their environment, and they need to be able to query their data,” says Katie Teitler, senior product marketer at Axonius, a cybersecurity asset management company, and former research chief at TAG Cyber. “They need the ability to have a full-stack view of what’s going on in the network. Without good visibility or search capabilities, they can’t identify and address vulnerabilities.”
That is an important advantage of modern enterprise search. They use machine learning algorithms, natural language processing (NLP) capabilities, and other tools to better understand context and meaning from a wider array of data types and formats.
Here’s a look at three strategies to leverage advanced search to improve security.
Define search queries for security needs
Effectively searching databases can help enterprises address a range of security concerns, such as risks associated with system integrations, outside attacks, and insider threats. But security teams need to identify and refine their search targets.
“Organizations must contextualize security data within a business context,” says Jon Oltsik, senior principal analyst and ESG fellow at Enterprise Strategy Group, an IT research and strategy firm. “When I’m investigating suspicious behavior, I may be extra diligent if this behavior takes place in business-critical applications or data,” he says. To search for insider threats, Oltsik adds, security analysts “need to collect data on user access patterns so they can detect anomalous behavior.”
Data can help identify if an asset has a known vulnerability, and it can help identify potentially vulnerable devices on a network. “I can find answers to all these questions if I have the data and I have the right query capabilities,” Oltsik says.
Use search to accelerate and refine threat detection
Search tools can also help limit the damage of malware attacks. For example, in December 2021, a critical security vulnerability was identified in Apache Log4j, a Java tool used by countless applications for recording events into error logs. The vulnerability, called Log4Shell, allowed attackers to run malicious software, or even potentially take over, a server running Log4j. The challenge for CISOs continues to be how ubiquitous Log4j is.
“There are millions of applications and services running this library,” explains Mandy Andress, CISO at Elastic. “Dependencies were not easily identifiable, so it was really hard to even tell if you were impacted, if you needed to upgrade, if you needed to patch, or if you didn’t have any issues whatsoever.”
That’s where robust search came into play. Elastic knew its systems and assets could be vulnerable. And by working with partners and SaaS providers, its InfoSec team was able to identify thousands of potential security holes. But were those vulnerabilities being exploited?
The team then put search to work and was able to search vast amounts of data in mere seconds. A cursory search, across 60 clusters and a petabyte of data, took only 10 seconds, says Andress. A second and more targeted query, based upon those initial findings, delivered another set of results in less than a minute. In the past, that kind of searching could have taken days or even weeks — at which point additional risks would have been identified. Instead, Elastic was able to deploy patches and upgrades within a few hours.
Incorporate search into long-term security strategy
Attackers have continued to probe other widely used resources. “These attackers are going for the largest targets they can,” says Teitel.
Existing vulnerabilities will remain risks. “We’ll be seeing attacks in the future that are successful because there are unpatched and still vulnerable Log4j versions out there,” Andress says.
All of which makes search platforms an increasingly important tool for CISOs. “You can’t just say, ‘What’s in my environment today?’” says Teitel. “You have to search over time: ‘Where was I on April 1? Where am I now on May 1? Where will I be on June 1?”
It’s all part of a game of catch-up with attackers that security teams must continue to improve on, because the volume and complexity of threats will only increase. “Attackers have a lot of patience,” adds Teitel. “Time is on their side.”