Other security bloggers write posts of general interest to the community (like posts on why “security ROI” is shit which reminds me of my 2007 post on the same topic or posts on how MalwareTech is doing), but I am sticking to esoteric detection engineering and security operations stuff because… I dunno…. it is just more fun for me. Furthermore, I feel like I already spouted a lot of broad generalities on the fate of infosec in the past and our beloved domain of work (NEW!! Now with cyber!) is such a Groundhog Day anyway (patch faster or malware will get you – circa 2013).
So, here is an esoteric debate to have: what is a bigger challenge for large scale security data analysis efforts …. scalable platform or effective detection content?
My buddy Rocky will perhaps disagree (well, I know he will!), but I see too many organizations sitting next to their shiny new security data lakes and contemplating their lack of threat detection. One representative quote was “In 2017, we used Hadoop to build a SIEM of 1998” [just as smart for threat detection, but for sure with better scalability!]. Hence my vote goes to…
PLATFORM IS EASY, DETECTION CONTENT IS HARD.
All in all, it reminds me of a late 1990s debate about whether a commercial IDS should ship with signatures (no, really, it did happen!). Back then, some really smart people (they know who they are) opined that “best IDS signatures are written by clients who know their own environments well” hence “we just need to ship a NIDS engine and some sample sigs.” Guess what? The vendors led by said smart people all failed, and those who shipped lots of signatures prospered.
As a funny aside, a few weeks ago I saw a press release from a vendor promising “100 million EPS platform” (!). My first reaction? This will create a mother of all data lake failures (a big data “FAILK”? Or [as was suggested by my colleague] “a data FLAILK”?) if they don’t ship detection content to go with it.
Along the same lines, today I usually discourage clients from planning to use general purpose data analytics tools for security. Sure, it can work, but the amount of work is often staggering. Smart detection content is hard, and for simple detection content, you can just buy a box.
OK, so right about here an astute reader will say, “But Anton, you whine that people buy too many boxes, but here you suggest they get another box rather than adapt the tooling they have.” Sure, good observation! However, while some organizations can run super-impressive DIY security analytics efforts, many cannot even operationalize a box they purchased. Indeed, we are talking about different maturity levels of organizations.
In fact, for the majority of organizations, BOTH “scalable platform” AND “smart detection content” are too hard. However, lately I’ve seen too many enlightened organizations that managed to succeed with the scalable platform part to then fail with detection logic ….
Recent posts related to security analytics: