Chapter 2. Implementing a Security Data Lake
As explained in Chapter 1, today’s cloud data platforms can power security data lakes that help you automate and greatly expand many cybersecurity tasks. But how do you gracefully transition from yesterday’s SIEM-centric environments to embrace today’s modern alternatives? You can’t simply “lift and shift” your old data center security methods, because they no longer address the scale and complexity of today’s multifaceted threat landscape. This chapter describes how to implement a security data lake to efficiently gather all your data, expand visibility into security risks and incidents, and automate responses to mitigate threats. This process has three primary phases:
-
Assess your current state.
-
Collect and migrate data.
-
Establish and verify analytics.
Phase 1: Assess Your Current State
During the assessment phase, you must answer several key questions:
-
Which threats present the greatest risk to your organization?
-
What are the key solutions being used to mitigate those risks?
-
How is data from these sources being used today?
-
What are the biggest challenges and gaps to success with these use cases?
For example, a review of an organization’s threat models may point to source code theft as the top risk. Attacks targeting developer laptops may be considered the most likely vector for this threat. The relevant existing solutions might be the endpoint protection agents on developer laptops, and controls on the managed ...
Get Deploying a Modern Security Data Lake now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
