It is time to rethink the notion of an audit from something that happens periodically to some that can be continuously analyzed at will, in real-time. It is unacceptable that an organization wouldn’t have complete visibility into activities associated with all users, hosts, and applications within their network infrastructure. This becomes minimal acceptable hygiene, a starting point, inclusive of threat intelligence and patch management. Having this level of visibility opens opportunity for much improved analytics (think big data for security (do not think SIEM)), allowing network defenders to visualize and investigate unusual activity over extended periods, at different locations and/or missions. Being able to collect details about known attempts and successes, quickly identifying and remediating malicious activity and understanding where else they are present would provide superior attribution and improve intelligence. This then becomes a basis for “making security measurable,” in near real-time.
Idea No. 152