Monday, July 6, 2015

Best quote that sums up my day

Like it says:

"More data does not equate to more visibility or coverage".

In fact, more data drives down retention while lengthening analysis time.  The trick is to collect and retain the most relevant data, not just more of it.  Since the definition of what's relevant fluctuates it can be a challenge, but some basics stand from incident to incident.  The goal is maximum visibility with the smallest volume.  The average mean time of detection was 229 days in 2014.  Most data collection falls in a 30 to 90 day spectrum.  That alone drives the high miss rate.