NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via archive.org) some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one reminds the world that I popularized the term "output-driven SIEM"
- You have 10 petabytes of security data in your Hadoop cluster.
- You count RAM in terabytes and CPU cores in dozens.
- You speak HiveQL better than you speak English.
- You collect literally and unquestionably every timed record of activity in your organization – including transaction logs, IM messages, flows, anything.
- You run queries over 13 months of data – and you do not have to take a vacation before the results come in.
- You outgrew your market-leading SIEM product … 5 years ago.
- You have statisticians (data scientists) on speed-dial – and on staff.
- You run statistical models on volumes of security data before your morning coffee – and get good results.
- Your organizations’ BI team thinks you are actually cool… despite being in security.
So….
are you a HARBINGER or an OUTLIER?
Is this the way information security will be done nearly everywhere in 3, 5, 10 years? (good arguments for this)
Or is this a case of “there are only 10 organizations in a Top 10 list”? (some arguments for this)
Is this the way we all need to learn to succeed with current and future threats?
Or is this the way to the top of the mountain that only the enlightened gurus will ever tread?
In any case, let’s keep this discussion going!
P.S. By the way, remember that: “If at first you don’t succeed, skydiving may not be for you.” [by unknown] –> “If you keep failing with small data now, BIG DATA isn‘t for you!” [by Anton Chuvakin]
).