Oct 21, 2015 By Jean-Paul Bergeaux In Blog

Solving the Data Retention Problems of Security Analytics and Forensics

Anyone who was able to attend or even observe from afar this year’s  attendance-smashing RSA Conference can tell you that some great new technologies are being introduced to take advantage of data collected by security products. In particular, these technologies can leverage log data to greatly improve the ability of security personnel to find and respond quickly to security threats and attacks.  This advancement in security technology should make it much easier to defend federal agency networks and systems.

But this trend is shedding light on a much more foundational challenge facing today’s Security Operations Centers (SOCs) and CISOs:  How do you store weeks or months of logging (cyber?) data without running out of funds?

This problem arises because cyber analytics and forensics teams require fewer storage features and functionality than the top tier enterprise storage providers offer.  Cyber teams still need Reliability, Availability and Support (RAS) that enterprise storage provides, but most enterprise arrays from top tier providers are designed for the data center, not logging and analytics.  Consequently, they are specifically designed with software embedded to integrate with Email, databases, and enterprise applications that require quite a bit of features and functions for RAS.

This isn’t a bad thing; it’s quite a good thing for data center architects, who need enterprise storage arrays with these functions. But security teams do not, and so they end up paying for storage arrays that can do a lot more than they need.

It’s a square peg for a round hole.  What security teams need is raw storage with speed, efficiency, capacity and, most importantly, RAS.  You can’t do analytics or forensics on data that isn’t there to access.  Most security teams start by looking at “off brands” that may offer speed and capacity, but truly do not offer the RAS that tier-one storage providers offer.  They feel this is necessary because of the tension between cost and data retention.

But there is a tier-one storage provider offering a round peg for this round hole.  The speed, efficiency, cost and RAS of the storage product is perfect for analytics and forensics that need longer retention times.  The irony is that this is the same storage vendor that pushed the entire industry to support the true needs of the data center with higher functionality.  The vendor had the vision that storage needed to do more and provide more functionality 20 years ago, and today has jumped ahead again by providing a storage array that offers powerful speed, capacity and performance with the reliability to back it up.  It is perfect for the SOC requirement for enterprise storage without all the functionality of data center storage.

You can learn more in our NetApp Whiteboard Video here.