Jonathan Rau, VP/Distinguished Engineer at Query, explains the process of normalizing security data and the challenges of working with different security tools and APIs. He also simplifies the concept of security data into three categories: structured, semi-structured, and unstructured.

Finally, he discusses benefits of unifying security data, and the Open Cyber Security Schema Framework (OCSF) which Query uses as their data model. OCSF provides a standardized data model for cybersecurity events and objects, allowing for easier integration and interoperability between different security tools. The conversation also touches on the use of graphs in security data analysis, based on Jonathan's previous experience at Lightspin.

Takeaways

• Federated search allows users to search their security data wherever it is without ingestion.
• Normalizing security data involves mapping fields and setting constant states to handle different data formats and schemas.
• Security data can be categorized into structured, semi-structured, and unstructured data.
• Query simplifies the complexity of security data and provides a unified view of all security data sources.
• The Open Cybersecurity Schema Framework (OCSF) provides a standardized data model for cybersecurity events and objects, enabling easier integration and interoperability between security tools.
• Graph databases are useful for maintaining relationships and analyzing complex security data, but loading and querying graph data can be challenging.
• The key benefit of unifying security data is decision support, enabling security teams to make informed decisions based on a comprehensive view of the data.
• When building a data fabric or unifying security data, it's important to work backwards from the job to be done and focus on supporting specific use cases and decision-making needs.
• Staying informed about data technologies and approaches is crucial for security engineers and CISOs to make informed decisions about building a data fabric.