Cindy works long hours managing a SecOps team at UltraCorp, Inc. Her team’s days are spent triaging alerts, managing incidents, and protecting the company from cyberattacks. The workload is immense, and her team relies on a popular SOAR platform to automate incident response including executing case management workflows that populate cases with relevant event data and enrichment with IOCs from their TIP, as well execute a playbook to block the source of the threat at the endpoint. All of this happens in seconds.
On the weekends, Cindy’s been house shopping. After dozens of open houses, she finally found one she likes and the sellers accepted her offer. Then she hit a brick wall when she applied for a mortgage. It took nearly thirty days for the approval to come through, and the sellers almost walked from the deal.
It may not seem like it, but both of these scenarios – mortgages and security events – are happening in real time.
Many people, especially in IT and security, conceptualize real time as machine time. That means data is available and operations occur as fast as machines can operate, with no human interaction or dreaded batch processing. While widely accepted and internalized, equating real time to machine time creates problems. Let’s look at a few of those.
The infrastructure necessary for a true real time architecture, from networks to hardware to software, isn’t cheap. The goal metric is machine time and you have to throw significant cash to lower that machine time as much as possible. You can’t afford bottlenecks. Only the fastest networks, processors and memory will do. Even after all that investment, there’s only so much progress you can make to eliminate machine time. The laws of physics are laws for a reason.
Infrastructure aside, real time incurs other costs, namely around business processes. Most business processes, like the mortgage example above, don’t operate at machine time. They operate at business time, meaning they need data from other parts of the business, or from third parties. Perhaps they’re waiting on the weekly FTP job to be complete and the CSV to be processed. Or regulations may require a documented explanation of each process step for auditors to review later. (I hope you never have to recount six-month-old decisions to an auditor. It is awful.)
I’ve only cited a few examples, but there are a number of reasons why business processes don’t operate at machine time.
Instead of treating real time as machine time, think about it differently: real time is the time you need to make a decision. If your security SLAs state you’ll detect an incident within 5 minutes, real time is anything less than 5 minutes. If your mortgage guarantee is 30 days, real time is less than 30 days. There’s little value in over-investing unless there is a driving business need.
If you can internalize your understanding of real time around the decisions you and your business must make, you can get past legacy views around machine time and start delivering meaningful, repeatable results.
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a generous free usage plan across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started. We also offer a hands-on Sandbox for those interested in how companies globally leverage our products for their data challenges.