And should organisations want to delve into understanding the dynamics of the network traffic itself, the netflow protocol that provides this information is built into nearly all commercial network equipment for free and can be read by centralised systems with great ease. The same argument exists for the capture of emails and files in transit - is it necessary to reconstruct these 'off the wire', when the fingerprints can be simply tracked to detect changes and pull copies from the target repository if needed?
Are logs dead? Long live logs!
So, are logs really broken and dead? I think not. For these two core factors, transaction logs can reasonably be considered as technically superior to other approaches.
Which leads us to the last, often perplexing aspect: detection methodology. This, as they say, is where the gold lays. The objective of any security threat detection platform is to detect as many threats, as early as possible and provide sufficient information to enable triage and remediation in the shortest possible timeframe. Anything else is fluff. Does the mechanism of how data is being collected affect the ability to achieve this outcome? Of course not; this means that the simplest, most efficient, cost effective solution is the most sensible business choice.
The differentiators in security analysis products are now in the accuracy, scope and timeliness of the detection methodologies - not how data is collected. The future of security threat detection has, out of necessity, moved beyond the constraints of SIEM, but it has also surpassed the limitations of a network probe-based approach. Instead, focus should be shifted to detection methods to build upon the successes in handling and analysing large quantities of data using behavioural analytics, considering how observed traits are matched to stages of the Kill Chain to implement appropriate actions, rather than creating new complications and problems over how base data is collected.
I see a future where the accuracy and speed of detection for security threats can exceed the ability of attackers to hide in the noise. I see a future where the asymmetric balance between cyber-security attacker and defender can be re-addressed - in the defenders' favour.
Sign up for Computerworld eNewsletters.