This afternoon I gave my GFIRST talk entitled "Uber Data Source: Holy Grail or Final Fantasy?". The purpose of the talk was to get people in the audience thinking about the challenges of complex network instrumentation/data collection and data overload confronting many Incident Response Center (IRC)/Security Operations Center (SOC) organizations today. A number of people seemed to agree that the current model of collecting dozens of different formats of data in increasingly larger and larger volumes and varieties can't continue.
The community appears to be receptive to the idea that we need to consider moving towards a consolidated uber data source that allows us to successfully monitor our networks and investigate incidents/events. In addition, there are a number of vendors beginning to move in this direction, which is great to see.
My talk should be posted on the GFIRST conference website (http://www.us-cert.gov/GFIRST) after the conclusion of the conference. I'd be interested in hearing thoughts and opinions regarding both the talk and the concept of the uber data source in general.