After the Apollo 1 disaster, astronaut Frank Borman told Congress that the tragedy had not been caused by any one company or organization, but by the entirety of all those involved with the Mercury, Gemini, and Apollo missions. The problem had been a failure of imagination. They knew that at some point there would be a fire in a space capsule. However, they assumed it would take place in space somewhere. They just did not think about the possibility of fire while the capsule was still on earth. We call this failure of imagination “unknown unknowns” within the security world, but it boils down to the same thing. We just do not think about some things. Even with all the tools out there to help us, we have failures of imagination.
In many cases, we trust one tool too much and live within its confines, never expecting anything to happen that the tool itself cannot handle. Once more, we are not considering the unknowns, not thinking outside of our known boundaries. Once more, we have a failure of imagination. Failure of imagination has been attributed as a reason for many failures, several having been quite prominent, such as Apollo 1. How do you get over a failure of imagination? That requires you to understand the basis for all your thinking. Every tool has a basis of thought, a pattern it looks into. Analytics tools are no different.
For every tool, there is a basis for the analytics: a starting point, an initial question that binds the tool together. For example:

  • We could look at Elastica (which was bought by Blue Coat), Imperva Skyfence, and even Microsoft Adallom and determine their basis is to track access to specific requests within web- and API-based applications: in essence, to track identity throughout the application and determine when an identity does something anomalous.
  • We could look at Splunk—its basis is the ordinary log coming from systemsand determine what causes problems based on the errors seen and rate of errors.
  • We could look at VMTurbo, whose basis is to determine the best place to run virtual machines within an infrastructure most efficiently by looking at the resources used by the virtual machines.
  • We could look at Login VSI and its Login PI tool to show where there are issues within a desktop virtualization environment.
  • We could look at Aternity and determine issues by examining what the end user sees as a measurement of success.
  • We could look at New Relic and measure how long each call within an application takes to pinpoint possible changes required within the code or infrastructure.
  • We could look at ExtraHop and use line data to view response time to network queries.
  • We could look at SIOS and determine the issues that are causing potential performance problems within an environment.
  • We could Prelert to inquire of log data within Splunk to ask different questions about not only performance but potential breach detection.

All of these tools have one thing in common: they are based on analytics and observed behavior by people within the company. The analytics that are used model the observed behaviors and attempt to find those behaviors and report upon them. Can we make that observation work differently? Can we inquire for other answers? Good analytics programs can allow you to write your own queries; however, first you need to understand the basis for the tool, so you know how to formulate those queries as well as understand other data that may be required in order to make those queries.
This is also what good data scientists do within the world of big data. They ask questions of the data, look at the results, and ask more complex questions. Prebuilt analytics-based tools are similar in nature: they inquire of the data for the basis question, then hopefully allow you to ask others. All the tools mentioned here allow you to inquire for other answers, but how complex those queries can get depends on the nature of the data within the system.
We can use any analytics tools as is, but when we add in more data sources, more correlations, and more inquiries, we only limit our answers according to the imagination of the inquirer. This is why more people need to become involved with the tools, even those who just use the environment. Let them inquire about what is important to them. This could lead to something imaginative that uncovers an unknown unknown and removes the failure of imagination.
Provide a way for users to inquire of your analytics tools, as well as developers, IT operations, and management. You will be surprised by the results and odd correlations.
Share your own imaginative correlations.