How much information do you need to manage your security? Until recently, the answer was always “more.” That is changing as the sheer volume of available data grows.
Today, corporate networks and machines are significantly faster and more powerful than they were 10 years ago. Combine this advancement with threat intelligence feeds, which include logs from new applications and streams from hosted services, and you have a surge in security data. This dramatic increase of data has gradually become a hindrance to organizations.
There is also a conflict between two different objectives for the information being gathered. First, timely incident response and reduced dwell time call for the acquisition of a limited amount of data to identify and stop attacks as quickly as possible. Second, system recovery and forensic examinations consider as much data as possible once the attack is over. The security industry has taken a one-size-fits-all approach, miring teams in unnecessary data and forcing them to look for real-time indicators when they should be looking for root causes.