In my last column, I wrote about the need to “understand the normal” – that is, when faced with a complex security incident, to know whether each step in the incident is normal for that user. It sounds obvious; of course it’s valuable to know whether someone is acting in an unusual manner. However, creating context is much more difficult in practice.

Data volumes are growing quickly, often so quickly that it’s not possible to store enough historical data to support an investigation. At the same time, firms have replaced employees with temp workers, contractors, and outsourcers, many of whom turn over on a regular basis. This flux makes it harder to identify actual users, let alone each user’s normal behavior. Simply put, the pace of change and growth prevents most large organizations from understanding normal and abnormal behavior.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access