Software Engineering Institute

Leveraging vast quantities and types of data collected in a cybersecurity data lake is typically accomplished via use of a “magnifying glass” scenario, in which queries are used to narrow in on certain types of data at specific time points, to achieve an “up close” view of a particular situation. For example, identifying all activities occurring at a certain time that are connecting to a particular device or user, or to elucidate the path of a particular threat actor traversing the organizational network during an incident. These use cases optimize the ability of the data lake to selectively zero in on only those specific activities of interest from among the billions of connections and data points available within a cybersecurity data lake.

An alternative methodology for leveraging this type of data lake is to approach it using a “wide-angle” lens, which requires that the data scientist step back and identify methods to view the vastness of the data holistically. Beginning an evaluation using a panoramic view of the data can reveal entirely different types of information about the activities occurring within an organization’s network and can be leveraged for a variety of purposes including identification of alternative types of anomalies, policy violations, misconfiguration patterns, as well as evaluating high-level changes in volumes and types of traffic, to assist with organizational planning efforts.

This poster provides examples of some of the use cases that have been addressed through use of an expansive, global view of the data in a cybersecurity data lake and applying a wide-angle lens. The viewer will learn the value of taking this type of approach generally, as well as seeing some specific examples, which will inspire the development of equally compelling “wide-angle” use cases customized to their own organization needs.