Blog

The fundamental reason that many cyber attacks still get through is because all traditional security sensors still rely upon known vectors. While many solutions claim to supply us with “all the data,” it is important to inquire whether it is really “all of it” or just “all of that which they are aggregating.”

For example, log aggregation solutions may suggest “we have all the data” and, indeed, they can supply us with every log that has been made. However, let us think about how the logs are generated in the first place. In the example of a computer, the logs that are generated are a result of someone determining what is important to log in the first place. It is fundamentally restricted by some input that dictates what to log and what not to log.

The same problematic input is required in event data collection. Someone, or some configuration, has determined the conditions under which an event is generated. SIEM tools then collect all these events and present them to the user for analysis. So yes, they do have “all the data,” only if the definition of the data is “all events.”

Similarly with flow data, it is determined what flows to log and how much metadata to include in the flow record.

Inevitably, when we implement a solution where we believe we have “all the data,” we need to fundamentally understand if it is “all” or some subset category of the greater “all.”