During the nearly 25 years I have worked in security, visibility into data has been a constant, yet evolving, challenge. Initially, there wasn’t enough data. Today, security relevant data extends far beyond logs and alerts, and security teams are forced to make time-consuming pivots to access data in many different systems. Data may be everywhere, but accessing, understanding, and making use of security data when you need it is more difficult than it should be. Security technology has evolved considerably over the last two decades, but security teams are still paying a significant tax in time and friction to gain access to the information they need to take the right action.
API’s are now more prevalent and robust. Data science has progressed. And, maybe most importantly, the amount of security relevant data has exploded across cloud, SaaS, and on-prem solutions. Attempting to centralize security data from multiple technologies has become the norm. These centralization projects are costly, time consuming, can create compliance challenges, and are prone to failure. I’ve long wondered, is there a better way? For many situations and use cases across security, I believe there is.
I’ve helped build and evolve many security solutions to try to address security operational challenges. I’d like to think a few of them were even helpful to the world of security operations. But I’ve long noticed that even when a new security tool delivers something helpful, analysts, incident responders, threat hunters, and other security professionals are still pivoting to many other technology platforms to search for answers to downstream questions. And this isn’t the only painful issue around distributed security data. I joined Query as CEO in August of 2022 because I believe in the idea of simplifying search for security teams.
I believe it is time to bring your search to your data, not your data to your search. At Query, we are playing the long game, one use case and technology integration at a time. We simplify search for security teams – from needing access to dozens of systems and knowing where and how to search – to one search box designed to find and visualize the answers to your questions.
Evolution of Operations
In the early 2000s, identifying threats was difficult, as they seemingly hit at random just to cause chaos. Security programs were built around a few tools, such as firewalls and antivirus software. As the number of security controls increased, the volume of alerts and logs began overwhelming security teams, and SIEMs were born. SIEMS enabled us to write detection rules and filter out noise, but they created a lot of downstream work to validate and respond.
Then, in the 2010s, endpoint detection and response changed the game for security teams by providing direct visibility (and later, protection) on endpoints to simplify and speed up incident response. Teams then had access to exactly what was happening on the endpoints, expanding visibility far beyond logs and alerts from traditional security controls. Core to all of these trends is an increase in the volume and type of data security teams must consume, understand, and manage.
One of the next big trends in security was the wave of automation. I could write a book about this, but I’ll sum it up here to say that automation capabilities are helpful across security operations for well understood and highly repeatable tasks, but not the silver bullet that security marketing of the last 5 years promised. If not carefully applied, it automatically breaks things and creates even more work. There are some promising recent trends in automation that, when applied alongside highly skilled security teams, creates an advantage for defenders.
Today, with remote first, plus modern SIEMs, XDRs, and data lakes seemingly everywhere, operational models for security teams are shifting. Large security operations centers with two-way glass and mission control sized monitors are often sitting empty. Rapid cloud and SaaS adoption have led to practices like DevOps spilling into security (DevSecOps – SecDataOps). At the core, this explosion of data is driving much of the need for security operations to change. Teams that are able to access the right data at the right time are able to more efficiently and effectively operate.
The Problem
Now that security relevant data is so much more than logs and alerts, centralizing all of your data from countless places – crossing the cloud through the data center – is tedious, expensive, and limiting. Centralizing all this data into one SIEM, one data lake, or one anything is not feasible or cost-effective. Even if you could, the second it hits the centralized store, it is out of date. And security alerts generated by centralized tools are just the start of many security investigations.
Searching in one place is easy. Even two or three is ok if you have the access and the time. But the more complex your environment, the harder it is to search for information and the easier for something to slip. As the number of places you need to search expands, along with the languages and knowledge required to perform the search, several problems emerge. First, you must gain access to these technologies and repeat your search. This takes time and results in browsers with many tabs at the top and complex playbooks. Second, it puts the burden of understanding and correlating the search results on the user. This creates stress and fatigue, results in errors, and ultimately makes it harder to reduce risk. Plus it lengthens the learning curve for new people to perform the task, and we already ask too much of security analysts.
The ability to access, search, and understand data across many distributed systems and data consolidations points (data lakes, ponds, cloud storage) becomes a way to unlock efficient and effective operations.
There is a better way.
Query simplifies the way we search. We are on a mission to provide complete visibility into security relevant data with the visual context and detailed answers your teams need to answer security questions. One place to search across all your security data, without additional centralization.
Today, knowing where you need to search and how to access and actually search is way harder than it should be. We are fixing this with one intelligent search box that knows where and how to access the type of information you are searching for. Query aims to deliver visibility into all the data a security team could ever need, unlocking access to data at the source and in your data lakes, creating many opportunities for more nimble and cost efficient data storage architectures.
It’s a journey, and we won’t get there overnight, but our early use cases expanding visibility for security investigations, threat hunting, and incident response are already drastically reducing the time and complexity of repetitive search tasks. If you are interested in following our progress or learning more, reach out to me on LinkedIn. We have some exciting enhancements and new use cases coming. We also want to hear from you on where and how you believe a decentralized approach to security operations could have the most impact across your team.
-matt
