Educause Security Discussion mailing list archives
Re: Dynamic data collection capabilities?
From: "Bridges, Robert A." <bridgesra () ORNL GOV>
Date: Mon, 2 Apr 2018 21:25:57 +0000
One of the themes of our cyber operational research is that operations now collect a huge amount of data. Yet, much of it isn’t used, and it takes lots of time for analysts to make sense of it. Further, analysts’ time is one of the main constraints driving decisions on what tools are purchased, and what alerts are investigated. Are there specific problems or wish-list items that could help lower the quantity of data, but increase the signal in data cyber operations collect/use? Some of the responses to the “dynamic data collection” questions below include the following: * Having packet captures and ENCASE HD and memory images only for traffic/hosts at the time of a high-trust alert. * Having a desktop replay capability only at the time of an alert. The goal is to see what users clicked on/typed just before to just after an alert. * Having a tool that can automatically correlate ports, processes, alerts, etc. Any feedback from operators is appreciated. Thanks, Bobby -- Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National Laboratory From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Bridges, Robert A." <bridgesra () ORNL GOV> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, March 27, 2018 at 1:51 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Dynamic data collection capabilities? Hi, I am a researcher at Oak Ridge National Laboratory and am performing research on security operations funded by IARPA. The goal is to survey security operators to inform what cyber research to pursue. Our primary data collection is through one-on-one interviews, and I’ve attached the consent form from that process—it contains more information about the study if you are interested. As a secondary data source, we are seeking responses through this list serve. I’m hoping to start a discussion from the following questions. Please reply with your thoughts. Do you have the ability to automatically perform dynamic data collection, e.g., turn on/off some collection capability in certain situations? If you had the capability to dynamically collect high-fidelity data, how would it be most helpful? Thank you, -- Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National Laboratory
Current thread:
- Re: Dynamic data collection capabilities? Bridges, Robert A. (Apr 02)