eIQviews

Can you react as fast as The Flash?

So here’s the thing. As we’ve been talking about (and I’m assuming you are bored with the topic already), log data is not enough. One of the key reasons we usually overlook is the reality that logs are a BACKWARD looking indicator. If it’s in the logs, it’s already happened and therefore you may be too late to stop an attack which already happened. Unless you have a time machine, that is.

Now to be clear, looking backwards is very important. Doing a post-mortem after any kind of incident is absolutely critical. And the log data is critical for forensics purposes to figure out what happened and ensure a data breach is contained and the damage controlled. But unfortunately, by the time your logs see something, it’s already happened and therefore it’s fairly unlikely you’d be able to intervene and stop the attack.

For many years (back from my Security Incite days), I’ve been talking about this concept of REACTING FASTER. My contention was that you can’t get ahead of the threat, so you better be able to figure out what’s happening so you can remediate and contain the damage. You can’t do that with logs. But you can react EVEN faster if you are looking at these other data types. For instance, by correlating the data you get from configuration assessment and performance metrics, combined with the events – you are more likely to catch something that is happening, than if you were just looking at the logs themselves.

It’s a concept known very well to lawyers of all shapes and sizes. Despite your potential disdain for all things legal (especially if you’ve had a disclosure event), the need for corroborating evidence makes a lot of sense. It turns out that having information to corroborate the attack vector and root cause is key to being able to react faster. I’ve yet to meet a security professional who’s told me he/she has too much time. We don’t get to finish everything on our list every day, so we need to work smarter and that means reducing the number of false positives and also investigating only the alerts that present the greatest threat to your environment. If you can prioritize more effectively, your security will improve – guaranteed.

It reminds me of my days in the anti-spam business. We wouldn’t rely on just one detection method to determine if a message was crap. We’d use over 50 different techniques and analyze the results to get a more statistically relevant answer. That’s what eIQ does with all the additional data types. It allows customers to get closer to the truth before spending a lot of time going down the proverbial rat hole.

And saving time is a good thing for everyone.