People often ask me, "How do I find the bad stuff on my network"? Well, the answer to this is relatively straightforward. Knowing what belongs on your network is a great way to know what doesn't belong on your network. Easier said than done for sure. How do you come to know your network, or at least come close to knowing your network? Jumping off points are a key piece to answering this question. What is a jumping off point you ask? It's all about perspective. Most organizations have an incredible amount of network traffic data. It's far too much to dig through with a fork. The trick is to organize the data using a number of different methods. These methods produce different views or perspectives into the data. Often, this results in certain suspicious or malicious activity jumping out at an analyst, which leads to further investigation. The part that the analyst seizes on? That's called a jumping off point.
In my experience, most organizations give their analysts a fork and a giant pile of data and say "dig". Naturally, most of us can't get our heads around the data in this manner (largely because it's so immense). I've found that creating actionable jumping off points for analysts allows them to seize upon anomalous events and investigate them to resolution. In my opinion, a much more efficient way to roll.