image
Our hyper-connected world and its ever-faster network speeds have resulted in mountains of diverse data that needs to be processed. It has also resulted in an ever-expanding attack surface, requiring cybersecurity solutions to scale like never before. These days, scale is about more than traffic volume (which can be used for, say, DDoS attacks committed by a botnet of hijacked devices); it’s also about the need to rapidly identify threats and stop them before they can succeed. A methodology that helps here is long-tail analysis, an approach that looks for very weak signals from attackers who are technologically savvy enough to stay under the radar and remain undetected. Chasing the Long Tail The term long tail first emerged in 2004, created by WIRED editor-in-chief Chris Anderson to describe “the new marketplace.” His theory is that our culture and economy are increasingly shifting away from a focus on a relatively small number of “hits” (mainstream products and markets) at the head of the demand curve and toward a huge number of niches in the tail. Here’s how this long-tail concept applies to cybersecurity: You are specifically looking for those least-common events that will be the most useful in understanding anomalous behavior in your environments. A security analyst uses this basic four-step process for long-tail analysis: The analyst finds events of interest, such as website connections or user authentication. Then, you determine how to aggregate the events in a way…

Source