Network traffic analysis plays an important role both in a successful network monitoring program and in an organization's overall information security posture. So why isn't it practiced more widely within the cyber security profession? It's newness and relative obscurity (until recently) is one reason for sure, but I'd argue that there is also another reason. As previously discussed (reference the post entitled "Making Analysis About Analysis"), analysis is often just too hard. Data is diverse, complex, and voluminous, and most of us have a hard time getting any kind of a useful handle on it. When we do have ideas of how to make sense of the data, the amount of data munging and custom coding required to move our ideas from conception to implementation is discouraging at best.
So how can we best enable analysts to create new analytical techniques? I believe that analysts need to be provided with an analytical platform that allows them the freedom to quickly and easily develop, test, and implement new analytical techniques without the hassles of data munging and data manipulation. In other words, the analytical platform should abstract the data, providing the analyst with an intuitive way to interact with the data. Additionally, the analytical platform should allow the analysts to seamlessly interact with the results of their analytical queries as they conduct their investigation.
For many years, I have dreamed of such a capability. The good news is that there are now products and technologies coming onto the market that begin to address this need. Here, here!