In my previous blog post: “Assessing Enterprise’s Posture: Not-Enough Data or Too-Much Data?” we debated what volume of data classes is necessary for assessing an enterprise's risk and security posture. In this post, we will discuss the need for data correlation and context.

Correlation and Context are Mandatory for Enterprise Assessment 

The number of data classes – too few or too many – is not the only issue that enterprise assessment and modeling should address. To ensure an accurate assessment and model, those data classes should be respectively correlated, and assessment should be contextual.

Correlation is about establishing relationships between different data types. For example, relationships between 1) the severity of a vulnerability and 2) the ease for a hacker to detect this vulnerability. 

Contextual Assessment takes under consideration not just an event itself but also the circumstances that made that event happen or circumstances that influenced that event. 

Correlation and contextual assessment carry out a critical practical value: they enable optimal decisions. 

For example, contextual assessment of the above example will enable prioritizing remediation efforts: out of two equally severe vulnerabilities, the higher remediation priority gets the vulnerability which is easier to detect. The remediation decision will be done by placing the severity of the data type into the context of the ease-of-vulnerability discovery context. Please notice that this is an example when both data types are from the same space, i.e. Security. 

Another example where correlation between data classes that belong to different spaces is the following: finding a relationship between 1) severity of vulnerability (Security) and 2) a developer who made this vulnerability possible (Developer Efficiency). Contextual assessment of such a correlation will enable taking steps to improve that developer’s security skills, provide training, or remove him/her from security-sensitive projects. Here, the severity of the vulnerability is placed in the context of the developer’s efficiency.

Unfortunately too often, different data types are treated in isolation, out of context. That establishes a siloed approach to enterprise assessment, where each area gets assessed separately, without considerations of other areas. That results in siloed decisions, which might be good for a particular task/transaction/department, but not for an overall benefit of the entire enterprise. Thus, a win in one place can result in an overall loss.

Correlation and contextual assessment increase the accuracy of the assessment/model, enable multi-factor analysis, and allow replacing the siloed approach with a holistic approach by bridging a variety of data types from all corners and aspects of the enterprise.

Correlation and contextual assessment unlock insight into hidden issues such as insider threats, unnoticed vulnerabilities, and about-to-be-lost productivity, which might result in security and risk exposures, and eventually – in business failures. Far too often, inability to correlate and contextualize stems from the enterprise's reliance on multiple siloed tools and platforms,which makes correlation and contextualization difficult or even practically-impossible, leaving the decision-makers in the dark.