If It Only Had a Brain, or BI Wrangles Big Data
In a posting on the LinkedIn Information Security Community group, Ken, a software development manager, posed the question, “Why does everyone have exactly what I don't need? I know how to collect and store large amounts of data. Problem solved. I don't need my SIEM solution to solve that problem for me. What I DO WANT is a "brain" that sits on top of my current data store and do security event detection.”
This was all Chris Sullivan needed to hear before he jumped in and handed Ken just the thing he was looking for.
“Wow... I had almost given up following LinkedIn Groups... What a great thread.
So…Ken's already got the big data. Marko saw a need for BI tool (though didn’t explain why). Ian's recognized that RDB is not the right approach. Everyone is groping around for the answer. What's missing?
What if 18 months ago Courion Labs recognized this problem and redirected all of its focus to working with the smartest people out there to figure this out?
What if they applied adjacent innovation techniques to look for similar patterns/problems that have already been addressed by other industries and applied those techniques?
They would have seen that there's an extraordinary amount of data (big data) that's floating around by dint of just doing security operations and that companies ignore most or it (Ken noted this). At best they are looking into silos like SEIM or DLP (lots of people touched on this).
They would have leveraged the industry's largest collection of collectors (600+) and an open system to get that big data.
They would have realized that traditional relational DB approaches with workflow-centric computing would not work (thank you Ian) – It just takes too long to walk through that much information. They would have gone with something more appropriate like an OLAP cube and data centric design.
They would have realized that even having big data in a high performance cube isn’t a solution for anyone except the guys who sell disk.
What’s missing? A way to think about and organize all of that information. A rich way to interact with it – because artificial intelligence will get you just so far – humans are still smarter so you need to augment them.
They would have taken a time tested approach - One that was done with trader support systems 20 years ago or in the baseball industry in the early part of this century (think the business story behind Brad Pitt and Moneyball – or just Google Sabermetrics).
They would have applied best practices from 600+ Provisioning and Compliance solutions, COSO and FFIEC guidance for thinking about information security management and they would have developed a measurement framework for Access Risk Informatics that considers real time relationships between security events, activity, access, identities, etc.
They would package that into an Access Intelligence Engine that is constantly listening and synthesizing and measuring and alerting.
They would have realized that looking at this galaxy of information would be overwhelming so they would abandon current reporting solutions with bars and pie charts and 2 dimensional presentations of static data. They would have gone with a market leading BI tool for rich, interactive visualizations (thank you Marko) so that you can not only see the 1/10 of 1/10 of 1/10 of 1% of what’s important at any given moment but you can actually do something about it – you can extract all of that information and launch business processes to remediate issues immediately.
They would have called it something special...Like Access Insight™ and they would have released it into the wild 2 weeks ago.
Finally, they would have recognized that, like other industries, the InfoSec profession is about to get turned on its’ head…Fast...and in a big way…Because that's what happened to every other industry that figured out how to effectively use the information that they already have...
They would be organizing the best and brightest execs from across the industry in Boston next month – This time to think about how the role of the CISO and security operations in general is about to change and how to prepare for it. It would be an invitation only thing…but “I know a guy” so if you’re interested in participating and think you can add to the discussion, let me know.
Chris (yes, I’m from Courion Labs :)”