Reinventing ETL for Detection and Response Teams
Josh Liburdi
BSidesSF 2024 · Day 1
In his BSidesSF 2024 talk, "Reinventing ETL for Detection and Response Teams," Josh Liburdi tackles a topic he admits is often considered "boring" but is, in his view, critically important: **Extract, Transform, Load (ETL)** processes in cybersecurity. Liburdi argues that the current state of security ETL is fundamentally broken, leading to significant challenges for **Security Operations Center (SOC)**, **Incident Response (IR)**, and **Threat Hunt** teams. His presentation is a call to action to move beyond simply collecting data and instead focus on transforming raw data into actionable information and knowledge in real-time.
AI review
This talk cuts through the usual vendor fluff to address a fundamental, often ignored problem in security operations: the abysmal state of ETL. Liburdi correctly identifies that current approaches burden analysts with raw, decontextualized data, leading to fatigue and inaccurate conclusions. He introduces the critical concept of 'data decay' and proposes practical, open-source patterns ('Time Travel,' 'Telephone,' 'NXR') for real-time data enrichment within the pipeline, demonstrating how to transform raw events into actionable, highly contextualized information before it even hits the SIEM…