• Watch
  • Listen
  • Live Stream
Security Weekly
Security Market Validation
  • Listeners
    • Subscribe
    • Insider List
    • Suggest a Guest
  • Shows
    • Paul’s Security Weekly
    • Enterprise Security Weekly
    • Business Security Weekly
    • Application Security Weekly
    • Security & Compliance Weekly
    • Security Weekly News
    • Tradecraft Security Weekly
    • Secure Digital Life
  • Series
    • CISO Stories
  • Webcasts/Trainings
    • Registration
    • On-demand
  • Articles
  • Partners
    • Become a Partner
    • Landing Pages
    • Bookings
      • Approved Interview Form
      • Approved Interview Form – Returning Guest
      • Conference Collection Form
  • Hosts
  • Company
    • About
    • Contact
    • Careers

Active Directory/ Application Security/ Articles/ Blue Team/ Cloud Security/ Endpoint Security/ Firewall/ Intrusion Detection/ Managed Security Services/ Network Traffic Analysis/ Patch Management/ Security Operations/ SIEM/ Threat Intelligence/ Vulnerability Management

What Security Data Do I Really Need to Collect and Analyze?

Matt Alderman October 27, 2020

We’ve been told for years that we don’t have enough data for security.  Then we see the headlines and quotes… “Organizations must prepare for collecting, processing, analyzing, and acting upon terabytes of security data.”  “All decisions about cybersecurity strategies, program priorities, investments, etc. should be made based upon analysis of real-time and historical data.”

New companies are started to build “data lakes” with “machine learning” and “artificial intelligence”.  Some of these companies even file for IPO and enter the public market on the promise of “big data”. But what data and types of data do we really need?  Do we really need it all?

We interviewed Corey Bodzin, Chief Technology Officer from deepwatch, on Enterprise Security Weekly to discuss data collection and the criteria needed to determine if you should collect the data.  Here are his recommendations:

  • You do not need all of the data. What data to collect should be based on three key criteria:
    • Maturity of your security program. If you’re still early in your program maturity, you definitely don’t need all of the data.  Start with the basics.
    • Cost of collecting the data. Not all data costs the same to collect and store.  Active Directory logs are quite easy, while network packets can be quite costly.
    • The value you can extract from the data. Adding additional threat intelligence sources doesn’t necessarily improve the value of that data set.
  • Paul’s enchanted quadrants is a good staring point. Focus on the basics, usually in this order:
    • Logs (Network, DNS, Applications, etc.)
    • Endpoint (Logs, Processes, Files, etc.)
    • Network (Flow, Packets, etc.)
    • Threat Intelligence
  • Ask the following questions to know if you should collect the data or not:
    • How much is it to collect and store?
    • What can you do with the data once you collect it?
    • Can you collect enough of the data to make it valuable?

To get a deeper dive, watch the interview on Enterprise Security Weekly here, register for their on-demand webcast, How to Measure Security Operations Effectiveness, here, or visit securityweekly.com/deepwatch for more information.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related Posts

tea leaves

Application Security /

Reading the Application Security Tea Leaves – How to Interpret the Analyst Reports

linux security

Articles /

How to Defend Linux from Attacks

‹ Phishing and Vishing Protection for Remote Workers › Sysmon Endpoint Monitoring: Do You Really Need an EDR?

About Security Weekly

Security Weekly is the security podcast network for the security community, distributing free podcasts and media since 2005. We connect the security industry and the security community through our security market validation programs.

More Than Just A Sponsor

We view our relationships with the security industry as partnerships, not sponsorships. Security Weekly works closely with each partner to help you achieve your marketing goals and gain traction in the security market. Interested in becoming a partner? Please visit our partnerships page.

Back to Top

Subscribe To The Blog:

RSS Feed RSS - Posts

Search

Follow Us On Twitter

→ Follow Us
© Security Weekly 2021
Powered by WordPress • Themify WordPress Themes