Wednesday, January 26, 2011

Making Analysis About Analysis

At FloCon this year, I spoke about pictures. Yes, that's right, pictures. My point was that analysis is too hard -- most analysts spend about 80% of their time munging data and fighting with data and only about 20% of their time actually doing analysis. This is simply something we can't continue if we are too succeed in defending our networks. I tried to communicate my strong belief that analysis should be about analysis, and that we as a community need to both provide and use better tools to make this happen. I think the community will warm to this concept, but it won't happen overnight. I see "empowering the analyst" as a strategic direction that the community will likely be heading in the coming years. Plays nicely with the realization of the larger cyber security community as a whole that the time for analysis has come. We need to know our networks. Analysis has arrived.

Enriched Flow Data

Lately I've had a number of discussions with colleagues about how enriching network flow data (netflow) can take it from being a good analytical data source to a great and incredibly powerful analytical data source. Netflow is a data source with an incredible amount of breadth -- it's more or less a record of every transaction on your network. The good news for us analysts is that nowadays there is enough technology around to enrich netflow with layer 7 (application level) data. Once you do this, there is seemingly no limit to the creative and interesting analytical techniques you can develop. Something to think about for sure.