In a recent print edition of The Economist, there is a very relevant article – “Modeling Brains: Does not compute.” It provides a cautionary tale about promises of modern brain science, where the hope is that torrents of data will somehow provide the critical nuggets to understand the human brain. There is a stark realization that more information is not the same thing as more understanding. In the world of cybersecurity, with its myriad tools and endless supply of data to analyze, a similar conclusion is beckoning.
In a new Ponemon Institute study, 70% of the SIEM users respondents said they need more meaningful and prioritized alerts than what they get today. Security analysts and practitioners are drowning in data, and looking for that meaningful insight that will make their jobs more productive. While the SIEMs are great tools for logging and compliance, users still have to write sophisticated rules to correlate various event streams to get any meaningful insight on potentially serious incidents. So more data is not the panacea here. In fact, we can argue that a “less in more” strategy may be best.
For example, contrast the above by starting with an advanced threat detection tool that focuses on solving one particular problem really well. In that case, you start with meaningful insight into a newly detected threat, then add context and correlation from other detection and identity tools to gain a comprehensive view of the whole incident. The result is less noise (less meaningless data) and more actionable information.
Such a solution requires both strong detection capabilities and a scale-out architecture to ingest multiple sources of data and correlate everything over an extended time horizon. It is now possible to accomplish this and provide a consolidated and correlated timeline view of all incidents pertaining to a user or a host. This “less is more” approach will significantly speed up incident response by saving precious time for security analysts and incident responders.
Given the continued nature of high profile breaches (OPM and DNC hacks being the latest), it is imperative that advanced threat detection, security analytics, and response automation need to be seamlessly integrated to quickly detect attacks and make it easy for the security practitioner by speeding up the process of incident response and remediation.
We will be releasing more information from the Ponemon Institute study over the next month and publish full report on March 1.