Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dynamic data collection capabilities?

From: "Bridges, Robert A." <bridgesra () ORNL GOV>
Date: Mon, 2 Apr 2018 21:25:57 +0000
One of the themes of our cyber operational research is that operations now collect a huge amount of data. Yet, much of 
it isn’t used, and it takes lots of time for analysts to make sense of it.  Further, analysts’ time is one of the main 
constraints driving decisions on what tools are purchased, and what alerts are investigated.

Are there specific problems or wish-list items that could help lower the quantity of data, but increase the signal in 
data cyber operations collect/use?

Some of the responses to the “dynamic data collection” questions below include the following:

  *   Having packet captures and ENCASE HD and memory images only for traffic/hosts at the time of a high-trust alert.
  *   Having a desktop replay capability only at the time of an alert. The goal is to see what users clicked on/typed 
just before to just after an alert.
  *   Having a tool that can automatically correlate ports, processes, alerts, etc.

Any feedback from operators is appreciated.

Thanks,
Bobby

--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National 
Laboratory
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Bridges, 
Robert A." <bridgesra () ORNL GOV>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, March 27, 2018 at 1:51 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Dynamic data collection capabilities?

Hi, I am a researcher at Oak Ridge National Laboratory and am performing research on security operations funded by 
IARPA. The goal is to survey security operators to inform what cyber research to pursue. Our primary data collection is 
through one-on-one interviews, and I’ve attached the consent form from that process—it contains more information about 
the study if you are interested. As a secondary data source, we are seeking responses through this list serve.
I’m hoping to start a discussion from the following questions. Please reply with your thoughts.

Do you have the ability to automatically perform dynamic data collection, e.g., turn on/off some collection capability 
in certain situations?
If you had the capability to dynamically collect high-fidelity data, how would it be most helpful?

Thank you,
--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National 
Laboratory
Previous By Date Next
Previous By Thread Next

Current thread: