There is no shortage of big data talk these days. One concept that I have always hoped would get more attention is the concept of data value. Much of today’s big data discussion is dominated by the concepts of volume, velocity, and variety, but unfortunately, I haven’t seen much discussion around the concept of value.
When security organizations tackle the big data challenge, they primarily focus on two things:
When security organizations tackle the big data challenge, they primarily focus on two things:
- Gaining access to every data source that might be relevant to security operations
- Warehousing the data from all of those data sources
- Historically, access to log data was scarce, creating a “let’s take everything we can get our hands on” culture
- There is not a great understanding of the value of each different data source to security operations, creating a “let’s collect everything so that we don’t miss anything” philosophy
- The variety of data sources creates confusion, uncertainty, and inefficiency -- the first question during incident response is often “Where do I go to get the data I need?” rather than “What question do I need to ask of the data?”
- The volume and velocity of the data deluge the collection/warehouse system, resulting in an inability to retrieve the data in a timely manner when required
- Determine logging/visibility needs scientifically based on business needs, policy requirements, incident response process, and other guidelines
- Review the network architecture to identify the most efficient collection points
- Instrument the network appropriately where necessary/lacking visibility
- Identify the smallest subset of data sources that provide the required visibility and value with the least amount of volume
No comments:
Post a Comment