Asking Your Big Security Data Questions (Part 2)

As we discussed in Part 1 of this post, humans are now creating more data than ever before, and that’s not changing anytime soon. The cybersecurity industry needs to ingest and make decisions on this information every day, but as more data is generated it gets harder and harder to find meaningful answers from it.

This issue is compounded by today’s interfaces, which feel like they were built for computers. Even the most ambitious UIs fall victim to limitations in the way we as humans operate. As data grows, how do analysts communicate with machines? How do we ask the data better questions to make critical business decisions?


The State of the Cybersecurity Industry

As a cybersecurity product company, JASK deals directly with big data problem. JASK consumes hundreds of thousands of events per second and growing 150% each month. Unlike many of JASK’s competitors, JASK fully lives in the cloud and ingests events from all our customers rather than being a on-premise software that is only consuming one organization’s data.

JASK applies intelligent algorithms to analyze data and identify threats, but analysts still need to understand this data in order to pull the trigger on a make-or-break cybersecurity attack. At JASK, we wanted our platform to give the most sophisticated analysts the ability to analyze data, but also to empower entry level analysts to still have the same ability to ask these complex questions. Many of JASK’s competitors suffer from going too far in either one direction or another on that spectrum.

Splunk is among one of the most popular organizations in the space that security practitioners use to analyze data and make decisions. Splunk and similar companies tend to use a SQL-like experience to find and filter data. 



This method, while powerful, takes years of experience to become an expert at and be effective and still yet is error prone. In interfaces like the one depicted above, it’s also difficult to re-adjust the query without re-writing and pivoting on data.


Auditing the Available Technologies

At JASK, we analyzed each of the methods employed in technologies today in a variety of verticals and found:

  • Exciting new technologies like NLP are promising, but it can be cumbersome to type out simple questions in the ‘right’ way to achieve the desired response. NLP is also difficult to use when analysts don’t know exactly what they are looking for. Imagine trying to ask Siri ‘What stores have the new Call of Duty game in stock and are within a 15 mile range and open after 5PM?’ Even after you have a broad set of answers, you need to analyze and pivot on results, which would require re-typing the question multiple times, with slightly new conditions.
  • Point-and-click interfaces are easy to use, but very quickly become complex and difficult to understand. They are unpopular amongst senior analysts who just want to jump into a terminal and type out a grep query.
  • Technologies that use SQL are very powerful, but require years of training to be effective. It is also still difficult to pivot on the information without re-writing the query.


We wanted to combine the strengths of all of these technologies; making a tool that is easy for entry level analysts to use and powerful enough for the most sophisticated analysts. We also wanted to make it feel more natural, as if you were asking your data a question like you would a colleague.


Introducing JASK’s new Search and Filtering Capability


Source Image:


The new JASK filter bar builds on the strengths of some of the oldest and newest technologies to create an intuitive interface. As analysts explore their data sets, you can quickly type or point and click queries that provide context such as suggestions and visual elements such as calendars.



In this experience, the analysts can filter down to find insights that are important to them. By providing an experience that allows a user to visually ask the question one word at a time, the analyst can create better queries. Once the user creates a query, they can easily go back and edit it without having to re-create the full query, allowing for easy data pivoting. The experience takes creating and modifying complex queries — like showing Insights created in the past seven days, are unassigned and still open — and makes them easy enough for an entry level analyst to build.


This is just one of the ways we are making it easy for security operations centers to operate more effectively while addressing the security job gap in the market today.


About the Author

Austin McDaniel is a Software Architect with deep experience in building enterprise cybersecurity and data visualization platforms.

He’s a globally recognized leader in the software industry speaking around the world and authoring popular open-source projects used by some of the largest organizations in the world.

Austin has helped build cybersecurity organizations from the ground up and work with some of the most prolific software and security organizations including Google, RSA, Department of Defense, MasterCard and one of the founding members of cybersecurity Security Orchestration and Automation (SOAR) platform Swimlane.





Share on