Security monitoring is complex. Successful implementation of a security monitoring infrastructure involves people, process, technology and data, and requires multiple iterative phases to reach maturity. Security data comes from multiple sources, and the prevailing method is to acquire security data by consuming log files from every possible asset, be it an application, database, virtual machine, container, microservice, operating system, server, network component, storage, and even intelligent power strips. And then sending that data to a SIEM or log management system.
And that’s not to mention the digital supply chain. In the past decade, there have been shifts from on-prem software to primarily cloud-based services and SaaS applications. And a lot of them, too: one survey shows that a typical company can use anywhere from 100 to 300 SaaS applications, depending on company size. And when you look at the growth in the SaaS market landscape for just one portion of the enterprise (marketing) over the last decade,
from a few hundred vendors to several thousand, this trend shows no sign of slowing — and that means security monitoring has to cover a lot of cloud services and SaaS apps.
This shift in the digital supply chain requires a shift in security monitoring practices. Attendees of this talk will come away with rationale for a new approach to security monitoring by converting all log data and security events to collections of time series. Doing so enables quick correlation of time series events across dependent or connected assets, articulate the indicators, and trace the vector of compromise. This in turn enables faster incident detection, response, remediation and forensics workflows.