Almost as soon as “Big Data” came along, there was someone to explain that it wasn\u2019t the size that mattered; it was how you used it. Vendors touted their “line speed” or their ability to do all their analysis in-memory (since writing to disk tends to slow down the pipe a lot). We\u2019ve known for a long time that stateful firewalls, IDS\/IPS and web application firewalls magically get a lot faster if you turn enough high-level checks off. Vendors also tout the number of inputs that go into their offerings: how many other security technologies they integrate with (where “integrate” may just mean “we consume syslog, CSV and XML”). If you want to get fancier than just saying what data formats you accept, you can say you have an API, regardless of how many other tools actually use it.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
After the analytics skirmishes, the other kind of “intelligence” came up, namely the number and variety of additional inputs to the algorithms: reputation, geolocation, indicators of compromise, or possibly the number of former government intelligence analysts in the research team (and\/or on the board of directors).<\/p>\n
And then it\u2019s back to numbers: the number of external intelligence feeds that are used to enrich the data that the monitoring system processes.<\/p>\n
Can one system produce data that is “more actionable” than another one, and if so, how do you prove it?<\/p>\n
Not only will the data be processed “live” (which is supposed to be better than “real-time,” I understand \u2013 or maybe it\u2019s the other way around), but it\u2019ll be newer than anyone else\u2019s data, still dewy from the data fields.<\/p>\n
<\/p>\n
One thing\u2019s for sure: buyers will still be wading through the marketing morass, trying to search out bits of dry land that will hold up to a purchasing decision. Not only will they have trouble differentiating vendors and their offerings; they\u2019ll also struggle to find metrics that tell them when their monitoring is good enough.<\/p>\n
<\/p>\n