We’ve been told for years that we don’t have enough data for security. Then we see the headlines and quotes… “Organizations must prepare for collecting, processing, analyzing, and acting upon terabytes of security data.” “All decisions about cybersecurity strategies, program priorities, investments, etc. should be made based upon analysis of real-time and historical data.”
New companies are started to build “data lakes” with “machine learning” and “artificial intelligence”. Some of these companies even file for IPO and enter the public market on the promise of “big data”. But what data and types of data do we really need? Do we really need it all?
We interviewed Corey Bodzin, Chief Technology Officer from deepwatch, on Enterprise Security Weekly to discuss data collection and the criteria needed to determine if you should collect the data. Here are his recommendations:
- You do not need all of the data. What data to collect should be based on three key criteria:
- Maturity of your security program. If you’re still early in your program maturity, you definitely don’t need all of the data. Start with the basics.
- Cost of collecting the data. Not all data costs the same to collect and store. Active Directory logs are quite easy, while network packets can be quite costly.
- The value you can extract from the data. Adding additional threat intelligence sources doesn’t necessarily improve the value of that data set.
- Paul’s enchanted quadrants is a good staring point. Focus on the basics, usually in this order:
- Logs (Network, DNS, Applications, etc.)
- Endpoint (Logs, Processes, Files, etc.)
- Network (Flow, Packets, etc.)
- Threat Intelligence
- Ask the following questions to know if you should collect the data or not:
- How much is it to collect and store?
- What can you do with the data once you collect it?
- Can you collect enough of the data to make it valuable?
To get a deeper dive, watch the interview on Enterprise Security Weekly here, register for their on-demand webcast, How to Measure Security Operations Effectiveness, here, or visit securityweekly.com/deepwatch for more information.