The whole point of a single pane of glass is making sense of your data. But when these dashboards are limited to a single platform, how useful are they? It seems like all they’ve led to is more browser tabs or more monitors crowding your analysts. We know we want to take action based on our data, so how do we get there?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Matt Eberhart, CEO, Query.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Query
Full Transcript
Intro
0:00.000
[David Spark] A single pane of glass sounds nice, but it falls short in practice when data resides in disparate locations. So, how can organizations make sense of this data in practice?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost in this wonderful episode, it’s Mr. Steve Zalewski. Steve, say hello to our wonderful audience.
[Steve Zalewski] Hello, audience.
[David Spark] We only know how to make wonderful episodes, and we… By the way, we have told the audiences that stink to stop listening to us. Did you know this, Steve?
[Steve Zalewski] No.
[David Spark] We’ve sent them personal invites saying, “You’re no good. You’re not good for us.” So, if you have not received one of those messages, you’re on the nice list.
[Steve Zalewski] There you go. That’s where you want to be.
[David Spark] There you go. Our sponsor for today’s episode, a brand new sponsor with the CISO Series. Thrilled to have them onboard. It’s Query, federated search for security data. Aw, sounds interesting. Guess what? That will be part of our topic of conversation today, so we’re going to learn a lot about that. And we have the CEO of the company with us, so hang tight.
We’re going to introduce him in a second, but I want to get to the topic at hand. The whole point of the single pane of glass… Which by the way, has been like a running joke on this show, I should point out. But the whole point of single pane of glass is making sense of your data. That was the point. I look at it. “Aw, I get what’s going on” That was the goal here. But when these dashboards are limited to a single platform, how useful can they be?
It seems like all they’ve led to is more browser tabs or more monitors crowding your analysts. We know we want to take action based on our data. Is the single pane of glass to go, or is it something else? I don’t know, Steve. What did you learn from our audience?
[Steve Zalewski] So, some of the audience noticed when I put the quote up that I had a Freudian slip and described it as a single pain, as in P-A-I-N, of glass. And when people were like, “Hey, Steve, did you mean that?” And I said, “Well, kind of a Freudian slip,” because that really is the pain point. And then I put it back. So, I want to thank everybody for noticing that Freudian slip, but I thought it was pretty interesting for truly what I think we’re talking about today, is it is a pain point, but we don’t quite understand the pain problem.
That’s where I think we got a lot of good feedback as to how people were interpreting the access to data versus the single pain of policy management.
[David Spark] Well, there was an insane volume of response on this, and it really just came down to, “What are we going to make sense of all this data?” And so we had this really interesting discussion about the single pane of glass, and then the discussion evolved into, “Well, how are we going to know what’s going on?”
And so we’re going to progress this discussion in that sort of format. And the person who’s going to help us with this is our sponsored guest. He happens to be the CEO of Query, none other than Matt Eberhart. Matt, thank you so much for joining us.
[Matt Eberhart] Thank you very much for having me on another wonderful episode of Defense in Depth. Great to be here.
[David Spark] We have trained him well.
[Steve Zalewski] I was going to say, hey, I think he’s looking for a job. We may have him all set here.
[David Spark] Matt, you didn’t get one of those emails where we told you to stop listening, did you? You didn’t get one of those.
[Laughter]
[Matt Eberhart] Thankfully I didn’t.
[David Spark] But, again, if you’re listening, and you got one of those emails to tell you to stop listening, you really should stop listening. I’ve never sent one of those emails out, just so everyone knows.
What are the elements that make a great solution?
3:58.725
[David Spark] Erkang Zheng of JupiterOne said, “The concept of a single pane of glass is sound. We all wanted one, but we’ve all been burned by promises that didn’t pan out, to the point we don’t want to hear that term anymore.” Oh my God, he crystalized it perfectly. “The question is though, a unified/consolidated data platform for what data.
There’s time series data used for detection and response, and there are unified platforms for that — SIEM, XDR, etc. And then there is structural and configuration data for proactive contextual analysis, modeling, optimization and reporting.” Good point here. Philip Swaim of Clario said, “There is no single pane because there is no single way to evaluate, visualize, or summarize security and fully capture the multidimensional and uniquely contextual circumstances of each business.
There is no one way to explain risk as every audience has their own point of view.”
And Rajaram (Raj) Srinivasan who’s with the Stealth Startup said, “My holy grail vision of ‘single pane of glass’ is connected workflows without vendor boundaries. In an API-first world, this isn’t hard to achieve at all. It is important for any vendor to realize that they don’t exist in isolation and to get a grasp of the customer’s solution ecosystem.”
I love all three of these quotes. I couldn’t pick a favorite one. They’re all great here. Really, we love the idea. It doesn’t pan out. It’s far too complex. Then what Raj says at the end If, “Hey, there’s no one data source here. There is a huge ecosystem here.” Steve, they set it up really nicely.
[Steve Zalewski] And I think these three quotes get back to the single pain of glass, is that we got different problems. We jump to the conclusion when you hear single pane of glass for what it means to you, and I think these three quotes are great because these actually are different use cases that have an underlying requirement for the information, but they have a different expectation for how you want to execute on that information.
And that theme kind of goes through consistently, which is what is the problem you’re trying to solve that a single pane of glass is the method by which you’re trying to describe it.
[David Spark] When you hear the single pane of glass, Matt… I’m sure like when you first heard it, you go, “It sounds like a great idea.” How did you slowly come to realize, “We’re never going to be able to solve a problem by one visualization.”
[Matt Eberhart] Yeah, I mean, for sure. I think Steve probably nailed it, calling it P-A-I-N of glass.
[David Spark] By the way, he’s not the first. [Laughs]
[Matt Eberhart] Definitely not. I agree with Erkang, that when I hear single pane of glass, it kind of immediately for me conjures negative marketing hype type of thoughts. If I think about security teams, they’ve always been powered by data. But centralizing all the data that you might ever need for any purpose, that just doesn’t work for so many different reasons.
Today, security relevant data is now everywhere. And so enabling teams to make better use of it for very specific missions I think is a much better approach. So, you may end up having different panes of glass that are used for different purposes, but the idea of trying to have just one, a single one, just seems like we’re not going to get there.
[David Spark] No, and that’s when we sort of evolve into these workstations where it has literally multiple panes of glass, and it looks cool, but it’s not functional.
This problem doesn’t end here.
8:06.353
[David Spark] Tony Gonzalez of Innervision Services said, “The single pane of glass is mostly unattainable. A few have attained this, but it’s not the whole window. Maybe just a single pane relevant to a function, management reporting.”
And Duane Gran of Converge Technology Solutions said, “The promise hasn’t lived up to the hype, but I’ll give credit that in trying to produce such visuals we do the important work of deciding what not to observe and measure.” So, what has…?
I’ll start with you, Matt. What has the single pane of glass told us of what to look at and what not to look at? I mean, there is some value that’s coming out of this, but it’s not giving the full picture in terms of the point of what it’s supposed to do.
[Matt Eberhart] Yeah, I think most panes of glass tend to be pretty good at one or maybe two things. And I think Tony and Duane make great points, that it does kind of feel like hype. But, boy, it sure would be great to be able to measure program effectiveness and reporting a little bit more broadly across different systems.
And so there is certainly promise there, but it’s… Again, I think it’s about using the data for specific mission driven purposes and understanding what data you need. And if you don’t have…or I should say when you have the limitations of having to have all of that data in one place to make use of it, that usually doesn’t work out.
[David Spark] And I just want to also add, I think it also… When we don’t have any information, we don’t even know what questions to ask. And I think these panes of glass, again, while they’re not fully giving us a full picture, they’re helping us to understand some basic problems that happen in the environment to allow us to start asking questions and to start investigating. Yes, Matt?
[Matt Eberhart] I think so. I mean, if you take a specific mission, like let’s say you’re working a security investigation, and it starts with a piece of data… Like maybe there’s a malicious file, and you’ve got the hash of that file. Well, what happens with investigations is one question leads to the next question. It’s not just one single question that you’re trying to answer.
And so you find that you run into the edge of the data source, and now as an operator, I’m pivoting to the next tab in my browser. Or as you pointed out, David, that’s why analysts now have five or six screens that they’re sitting in front of. It’s very challenging to try to move across all these different panes of glass while in your head you’re trying to correlate all those together and actually understand what’s happening.
[David Spark] Steve, I’m going to throw this to you. I get the feeling that having multiple panes of glass is like the equivalent of having a muscle car. It’s darn cool, but it’s not really what you need at the time. What is the value we’re getting though?
[Steve Zalewski] So, the problem doesn’t end here, but I want to talk about but what problem did we start with. Right? Because where we’re going is analysts need data. We have more and more analysts. But if you think back 15 years when I was young and getting into this, the single pane of glass was oriented primarily around SLAs. Right?
Because there wasn’t much security 15, 20 years ago for the number of products and what we were trying to do – basic firewalls, basic malicious files that we were trying to stop. There wasn’t much. And so what we were trying to say is we could under a single pane of glass provide that unified view. It was attainable back then. We didn’t have the maturity. And so I kind of reminded myself when I said that was where single pane of glass came from.
But what’s occurred over the last 20 years is the perimeter of security has expanded dramatically. The wall is much bigger. And now, to what we talked about, I still would like to do SecOps and have my SLAs around my operational efficiencies, is everything up.
But then my SOC and SIEM team for incident response and red teaming have a whole different set of requirements and data that they have to mine. And then I want to be able to look at my metrics for like my risk posturing. And so the big ah-ha for me when I asked this question and kind of was looking at people’s appreciation for it can’t be a single pane of glass because the security practice itself has specialized into different areas where it doesn’t make sense to do that anymore.
Sponsor – Query
13:08.453
[David Spark] Before I go on any further, I do want to mention our spectacular sponsor. That’s Matt’s company, Query. So, data overload is a relentlessly growing problem for security teams. I am preaching to the choir, I know, here. With Query, you can actually though break that cycle.
As the first open federated search solution for security data, Query provides a new approach to accessing, searching, and understanding the security relevant data scattered across your security tools, data lakes, cloud surfaces, SIEMs, and other API accessible systems.
With Query, analysts search once without needing to know a variety of search languages and get back normalized and enriched results using the Open Cyber Security Schema Framework, or OCSF.
Now, Query can be used directly via an API or as a Splunk app to quickly expand your visibility to the security relevant data you need. without more data movement and duplication. So, let the data stay where it is. You’ll just pull it in and search it wherever you are.
Now, by making better use of the data all around you, security teams are able to affectively reduce mean time to respond, which, by the way, we talk about this all the time, the number one metric everyone wants to improve. And with more choice on data storage, companies regain control over their systems and avoid vendor lock in. Aw?
Leading to more efficient SIEM architectures that drive down data driven costs. This sounds great. So, it’s your data, right? Let Query help you put it to work. It’s already out there. You just need to manage it and understand it more. Visit their site. It’s query.ai to learn more and get started with a free proof of value deployment.
Does anyone understand what’s going on?
15:11.640
[David Spark] Matt Svensson of SecurityMinded said, “The only way I can see having the single pane is if you build on your own data lake and make it yourself. Even then, it’s not a single pane. It’s a half a dozen or more. Example, the vulnerabilities, software and asset health, patch management, event alerts, training and compliance, GRC, risk register.
SIEMs are too expensive to put everything in. Vendors can’t support every data set across the potential vendors we use.” And Anatoly Chikanov of HealthEquity said, “It’s getting closer. At some point you will simply type a query in and get the graph/answer that you need. So, AI back end with all data sources integrated to it.”
And lastly, John C. Underwood of Big 5 Sporting Goods said, “The best we are going to get in the near future is not a single pane of glass, but more of a series of consolidated views into our security program based on the telemetry, data type of program focus. API’s help consolidate data.” All right, I just want to say, I didn’t pay any of these people to say what they said, but I swear, Matt, they are speaking exactly what Query is doing. Am I right here?
[Matt Eberhart] 100%, David. Absolutely. I think Matt Svensson said it particularly well – that it’s not a single pane of glass. It’s half a dozen or more. And the problem just continues to compound as you add more. You have the architectural challenges, data movement challenges. And so if you could get to a place where you’re decoupling the security operational jobs from the data locations then you potentially really have something, and that’s what Query is aimed at.
Today, analysts and operators are accessing all these different systems that have different search syntaxes, different data structures, and it’s too much. And if you look at capabilities that are immerging across cloud platforms like Amazon Security Lake where they offer a promise to have lower cost storage and normalized frameworks, that’s great.
But that’s likely just going to be one element of any organization’s security data strategy. And so like Matt says, when you add in half a dozen or so, the problem just continues to compound. So, certainly, like you said, self-serving statement, but this is exactly the problem that Query is aimed at solving.
[David Spark] Right. And I just want to point out that both Anatoly and John also make references to the fact… Anatoly talks about hopefully the goal is you just type in a query and get your answer, which is essentially what you’re trying to do with your federated search. And then lastly, John is saying instead of trying to ingest every darn thing, it’ll just get too expensive with a SIEM. But the APIs are there to help consolidate, and that’s how you’re looking at the data, correct?
[Matt Eberhart] That’s right. And as an operator, if you know that you can just go to one place and search and that the technology that Query is providing is going to handle the translation, the normalization… And as you said, we’re using OCSF. And as teams get more and more familiar with that, it makes it even more powerful. But it also, I think, removes this kind of challenge that analysts have that they’re like, “Am I missing something? Do I understand the search language? Am I understanding the data structure enough to really search correctly?” And so we’ve removed that and enabled teams to just get access to the data so they can focus on doing their job.
[David Spark] All right. Steve, I send this to you. This segment, again… I had no idea, but these all three are speaking to what Matt’s product is doing, which is another way of looking at this problem that we were trying to solve via single pane of glass.
[Steve Zalewski] Yes, and I will take it back to look at it slightly more holistically for a minute, too, which is the federated search… And what we’re talking about here is can I get everything I need from an analyst’s perspective. We’re pretty focused on analyst here. Is realize part of what we’re doing with this also is we’re looking at if we have two or more tools that we have to deploy for something, how can I get a unified view. Because I don’t want to have to go across two, three, four screens. Not from an analyst’s perspective but from the ability to have like unified policy and unified reporting.
So, I think there’s a second issue here which we’re still struggling with, which is what are the domains where I’ve got multiple products deployed that I want a single pane of glass in those domains to consolidate. And so I don’t want to ignore the fact that while we’re looking at the analysts here, the same technology does have a secondary opportunity for us to be able to build those unified views, and we’re going to continue to mature that.
And these type of microservice APIs are necessary where vendors can then build us incremental value proposition.
20:31.870
[David Spark] Jonathan Chan of Episource said, “I don’t believe in a single pane of glass. Here’s why – data silos. Platform proliferation often leads to siloed data, making a unified view nearly impossible. Overwhelming complexity. Trying to cram everything into one tool might create an overly complex interface, hindering usability, limited scope.
A single pane might excel in specific areas but lack functionalities crucial for other security aspects. And lastly, vendor lock in. Dependence on a single vendor can be risky and inflexible in the long run.” Wow. Summed up everything we talked about here. And Josh Basinger of Safe Security said, “The dream of a unified security management platform hasn’t faded. It’s just that the landscape has changed.” Something you were referencing, Steve.
“The key is to find solutions that do more than just bring information together. They need tools that really dig into the data, highlight the risk clearly, and help prioritize what to tackle first, all while keeping the business’ main goals in sight.”
So, I’m going to start with you, Steve, on this one. Let’s start with this last. Like we just need better direction because all this is confusing the crap…and making it difficult to have direction, isn’t it?
[Steve Zalewski] Well, I think what we’re getting at here is the explosion of data. The underlying explosion of data that we have to have, because contextualization is the game now. Right? Having all that data and being able to leverage it to make better decision is what we’re acknowledging. And so when I look at the quote like this, it’s really a tacit approval or acknowledgement of where is all that data.
Aggregating it in place isn’t appropriate, but we have to embrace it all. Because Gen AI and some of the other technologies that leverage all this have this underlying need to be able to create moments in time of certain types of data to do something.
And I think that’s part of what we’re acknowledging here, too, is the changing landscape. It’s not that we are solving the wrong problem. It’s that the explosion of data has caused us to re-envision how we’re having to solve some of these problems.
[David Spark] I’m going to throw this last one to you, Matt, here. And you have the closing thoughts on this. I want you to go back to what you were saying with regards to why you started this, and it’s more than just the single pane of glass story.
It’s trying to get the right information at the right time. But then I’m going to sort of challenge you. It’s like, well, sometimes I don’t even know what the question to ask is. What help do I have to know the question to ask?
[Matt Eberhart] Yeah, I think there’s a couple of things there. Josh pointed this out in his response – that the dream of a unified security management platform hasn’t faded. I think that’s right, but maybe it’s given way to the reality that there are a number of different important security platforms in any given enterprise.
And to your point, David, you’re getting signal out of all of them. But if you’re constantly pivoting around into different ones, trying to make sense of it all, it’s really inefficient, and it leads to missing things. And so the ability to be very mission driven if I want to threat hunt across a number of different data sources, almost publishing that as a service, if you will, to the threat hunters so that they can do their job. It’s hard enough to threat hunt, much less having to understand 25 different data structures and search languages.
But the ability to be able to get access to that data, to understand it, and then to move to the next thing is just incredibly powerful. That’s really what Query is focused on. Our mission is to help teams make better use of the security data that’s all around them. We want to help them access, search, and understand that data as they’re doing their job every single day. We like the term SecDataOps, which is really about using data to improve security operations. That’s what we’re focused on. So, check us out at query.ai. Follow us on LinkedIn.
We post a lot of technical how-to content. There’s a big movement happening in data across security right now, and there are a lot of great capabilities. So, teams can kind of get started with making better use of data in a number of different ways, and we’re hiring across the company as well. You can find more about that on LinkedIn as well.
[David Spark] That’s usually my closing question, but you brought it up right here. Awesome.
25:30.724
[David Spark] All right, that brings us to the next portion of the show, which is your favorite quote and why. I’m just going to set this up with there are a lot of really good quotes in this episode. I really liked it. It’s packed. Picking one is tough. So, Matt, I’m going to let you have the first choice here. Which quote was your favorite and why?
[Matt Eberhart] Wow, that is really tough. There are so many good ones. This has been great. Thank you for posting, Steve. A lot of engagement and a lot of opinions, a lot of nuance in there.
[David Spark] And by the way, to the audience, we’ll link to the original post that Steve has up, which has a ton of great comments. I mean, we had to cut out a lot of good stuff, unfortunately, for the show, but it’s all there in the discussion. Go ahead, Matt.
[Matt Eberhart] I’m going to say it was Matt Svensson because I think it really sums it up well, that people want to have a single pane, but you’re going to end up having multiple panes of glass, which creates more and more challenges. And I like how he goes on to talk about SIEMs are expensive. One vendor can’t support everything and that it’s really… But still, we’re all kind of looking for those places where we can see as much as we possibly can.
[David Spark] Good point. All right, Steve, your favorite quote and why.
[Steve Zalewski] First, I want to thank the audience. There was so much rich feedback here. Thank you. Just personally, thank you. This is just so much good stuff. I was conflicted. I almost went with John Underwood at Big 5 Sporting Goods, but I’m going to go with Erkang Zheng over at JupiterOne.
This is why, which was it was kind of what I was speaking through today as well. It’s not just analysts, but the concept of a single pane of glass is sound, but what it has to be is a consolidated view of data, time series, but based on what you’re trying to accomplish. Is it contextual analysis, modeling optimization, reporting? And I think he really hit it on the head, which is we’re now understanding kind of the new view of the definition, and I want to thank him for really articulating that what I think was pretty clearly and pretty succinctly.
[David Spark] Excellent. Well, that brings us to the very end of the show. I want to thank our sponsor. That’s Matt’s company. That’s Query. You can find them at query.ai. Federated search for security data. Look at all of your data, not just everything that you have in one physical place. You look at it all and search across all of it.
I’m going to let you have the last word here, Matt, in just a second. I want to thank my cohost, Steve, as well, as being awesome and getting this conversation going on LinkedIn. You did mention that you’re hiring. Anything else that you forgot to mention, an offer for our audience? Anything else? I did mention that there is a free trial, yes?
[Matt Eberhart] Absolutely, yeah. There’s a lot more information on query.ai. There’s a number of videos that show you what it’s like using the product. But there’s also… Check out the blog section. There’s a lot of content that even if you’re not going to use Query talks a lot about how to make better use across security operations.
So, hopefully people will find some of that useful. I’d love to hear from people. We love new use cases. We try to post things on LinkedIn all the time about problems that analysts face, whether it’s correlating across IPs, host names, and usernames, other common problems that people run into as they start to use multiple data sources. But throw those challenges at us.
And we’ve tried to make it easy to onboard, and we understand that security teams aren’t necessarily looking to add yet another vendor to their tech stack. So, being able to get in place quickly, solve real problems is something we’ve thought a lot about at Query, and we’d love to hear from people.
[David Spark] Number one thing we hear is, “Does it work with what I’ve already got in place?”
[Matt Eberhart] Yes, absolutely.
[David Spark] You are very much addressing that very issue. Thank you, again, Matt. Thank you, again, Steve. And to our audience, we greatly appreciate your contributions. You knocked it out of the park for this one. And we appreciate you listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review, leave a comment on LinkedIn or on our site, cisoseriescom, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.