Data Normalization is a process of reorganizing information in a database to meet two requirements: data is only stored in one place (reducing the data) and all related data items are sorted together. Normalization is beneficial in databases to reduce the amount of memory taken up and improve performance of the database. These databases are often run by “normalizers” routines which edit and “normalize” incoming data streams to allow the data to be indexed, searchable, and easily analyzed.
Varying forms of normalization exist on levels of increasing complexity. The complexity is due to the set of requirements that must be met to achieve normalization. The most basic is known as First Normal Form, which is often abbreviated 1NF. First Normal Form allows a database to normalize its data in the following three ways:
- Eliminate repeating groups in individual tables.
- Create a separate table for each set of related data.
- Identify each set of related data with a primary key
There are 2nd and even 3rd normal forms with other criteria applied.
How is Cybersecurity and Data Normalization Related?
In a Cybersecurity sense, a normalized intrusion detection database might identify a breach by enabling multiple disparate events (data) to be normalized into a single database that is searchable with a variety of automated scrips to create a clear picture of a potential breach. Take these events for example separately:
- Multiple failed logins followed by a successful login.
- Creation of a new user account.
- Download of a file from a server.
Separately, these are everyday activities. However, if normalized into an Intrusion Detection Service (IDS) database, you may be able to link a few things together. Namely that the failed logins were for a privileged account. The successful login occurred after 1000 failed logins on the privileged account. That successful login account was responsible, within 20 minutes, for the new account creation. The new user account was used to download the file from a protected human resources folder on your server. Pulled together in this way, and you have a clear breach on your hands. As separate events, you do not have such clarity.
Data Normalization Summary:
We are in an age overflowing with data. Normalization attempts to make this flood of data processable, to enable businesses to tease out intelligence from the aggregated data. Doing so makes that data actionable for decision making beyond the disparate unrelated data points.
Additional Reading: The Grey Morality of Stolen Data
Related Terms: Integrity
What does this mean for an SMB?
Data normalization plays a significant role in the security of some SMB networks. Having normalizers work on your critical cybersecurity data can help make the data more actionable where it might not otherwise be possible. Normalization significantly contributes to the fortification of a network, especially in light of typical networks’ three main weak points: traffic handling, inspection, and detection. It’s a good idea to work with your IT professionals, and possibly a 3rd party managed security service provider (MSSP) to gather and normalize your cybersecurity data. Taking in data from disparate systems to make that data actionable in near-real-time by Intrusion Detection and Prevention Systems (IDS/IPS) combined with Security Incident Event Monitoring (SIEM) is highly valuable.
These IDS/IPS and SIEM services are not cheap and may not be available to all SMBs to implement in their networks. For high value, high stakes environments, this technology can make a big difference in the overall network security.