When we listen to IT folks talk about big data and analytics as a powerful possibility, we should remember OT organizations have been information-driven from the start. Industrial control systems and environments have always been managed and optimized through applied information—even if nobody called it analytics at the time.
But digital transformation and the expansion of technology across the enterprise now means organizations are collecting data at an exponentially increasing rate, with IT organizations looking to turn those mountains of systems data into actionable insights on how they can build, run, and secure environments with greater visibility and control.
This means that real, meaningful IT/OT convergence fundamentally about bringing data together so teams on both sides of the perimeter are empowered to collaborate and cooperate from a single shared source of truth. This is when many of the big picture benefits of unified operations--visibility, efficiency, faster risk mitigation—really start to emerge.
The more information that can be integrated into this single source of truth, the better—thus the need for more advanced methods of storing and analyzing large amounts of information. It’s critical to understand the downstream implications of these choices on daily operations and long-term strategy.
The relative ease and low cost of data collection means organizations are accumulating more information than ever in pursuit of that shared objective truth, OT and cybersecurity teams included. They know that more data can help create richer context, which then enables more accurate decision-making.
But how organizations achieve this aggregated view matters, and as security and IT teams begin to rethink how data gets stored and used, it’s important to understand two components of a modernized, data-led security for both IT and OT: SIEM analysis and data lake storage.
You’ve probably already heard about security organizations deploying System Incident & Event Management (SIEM) solutions, essentially high-powered log ingestion platforms that enables teams to quickly contextualize incidents by correlating information around expected system and user behavior vs. what’s known about unexpected anomalies.
SIEM solutions can ingest data from a diverse set of sources. Teams can import log and/or telemetry data directly from devices or databases. They can also be integrated with new strategies like the enterprise organizations are currently building.
Both IT and OT teams are leveraging the power of information to improve how they secure their environments. Getting more data into one place, and making it accessible to common tools, will always yield better results. But all that accumulation can be difficult, and traditional databases—even consolidated data warehouses—can’t keep pace.
Data lakes enable organizations to serve distributed data needs with a centralized repository. This enables OT teams to begin to maximize their data collection efforts even as assessment and analysis strategies are still in flight. Teams can also collect the information once and use it multiple times for asset management, CCM, and other critical security workflows, including SIEM analysis.
As decision-makers look to enable stronger, smarter, data-driven security analytics across the entire enterprise, they can combine SIEM and data lake repositories for maximum impact. There are a couple of different strategies for achieving both completeness of storage and accuracy of structure.
As the demand for data-led decision-making grows, enterprise data strategies are changing. The move from traditional databases towards data aggregation enables organizations to take full advantage of new technologies SIEM log aggregation and data lakes. It’s up to OT leadership to help organizations understand the impact these decisions have on achieving the data convergence needed to secure the modern enterprise.
If you’re attending S4x23, be sure to catch our thought leadership talk on OT Data Lakes on Thursday, February 16th at 1:30pm Eastern.