Author: Ravi Devireddy, Founder & CTO
In my last post, I compared organizations analyzing an increasing number of terabytes of data to looking for lost keys in a parking lot — at first with nothing but a flashlight, and then with floodlights. Both tools have their uses, but neither is incredibly useful for this task. One doesn’t give you enough data; the other gives you too much data.
Often, siloed data sets use rule-, threshold-, or policy-based alerts, with much of the burden of “connecting the dots” falling on the operations analysts. The struggle to find the relevant insights and actionable information that guides their day-to-day mission is incredibly challenging.
This is because of two reasons:
- The propensity for rule-, threshold-, and policy-based alerts to give false positives and false negatives. We’d all love it if detecting threats were as simple as either “threat” or “not a threat.” However, the only black-and-white thing about threats is after they’ve succeeded: either you’ve been breached or you haven’t. In reality, determining whether something is a threat — especially if it’s one that no one has ever seen before or when it seems like legitimate activity — is rife with many shades of gray.
- Even when ingested by a SIEM, data from different rule-, threshold-, and policy-based alerts is still effectively siloed. Because determining whether something is a threat or whether it presents a risk to the organization is a gray scale, connecting both seemingly irrelevant data and alerts from these technologies to relay the whole story is the best way to understand whether something leans more towards the “threat” side of that scale, or the “not a threat” side.
Wikipedia defines “analytics” as “…the discovery, interpretation, and communication of meaningful patterns in data.” We, as a community of solution providers and consumers of analytics, must strive toward a common understanding of what “meaningful” actually means in the era of security big data and almost-daily news of successful cyberattacks, even within enterprises that have the most mature security programs.
In his book, A More Beautiful Question: The Power of Inquiry to Spark Breakthrough Ideas, Warren Berger has the following thoughts, that I think are pertinent to our community:
Is “knowing” obsolete? The glut of knowledge has an interesting effect, as noted by author Stuart Firestein: It makes us more ignorant. That is to say, as our collective knowledge grows — as there is more and more to know, more than we can possibly keep up with — the amount that the individual knows, in relation to the growing body of knowledge, is smaller.
As expertise loses its shelf life, it also loses some of its value. If we think of questions and answers as stocks on the market, then we could say that in this current environment, questions are rising in value, while answers are declining. “Right now, knowledge is a commodity,” says the Harvard education expert, Tony Wagner. “Known answers are everywhere, and easily accessible.” Because we’re drowning in all of this data, “…the value of explicit information is dropping,” according to Wagner’s colleague at Harvard, the innovation professor, Paul Bottino. The real value, he adds, is in “…what you can do with that knowledge, in pursuit of a query.”
A more beautiful question …a more beautiful question is an ambitious yet actionable question that can begin to shift the way we perceive or think about something — and that might serve as a catalyst to bring about change.
The problem is not just rapid change, it’s also the sheer volume of information rushing at us from all directions and many sources. Without a filtering device, we can’t separate what’s relevant or reliable from what’s not. When we’re overloaded with information, “…context becomes critical,” says John Seely Brown, chief scientist and head of Xerox Coporation’s Palo Alto Research Center. “What matters now is your ability to triangulate, to look at something from multiple sources, and construct your own warrants for what you choose to believe.”
Can the promising new analytics technologies help security operations ask better questions? For the most part, our current state of art search engines and dashboards are better suited to responding to questions — not so good at asking them. Picasso was onto this truth fifty years ago when he commented, “Computers are useless— they only give you answers. We live in the age of answers, but perhaps our objective as a community is to strive towards more beautiful questions.