Since Marcus was not able to attend the first session, he will interview Ron and drill deeper into some of the more technical aspects of security data aggregation and analysis. Defining "normal" is one of the hardest things we do in security (the other is trying to get people to write perfect code!), but there are a few tricks that work. One of them is something Marcus has been banging the drum on for years, which is "never before seen anomaly detection". The idea is that if you've never seen something happen before, the first time it happens is pretty abnormal!
In this second session, we talk about detection algorithms and the problem of defining "normal".