* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Interview](https://www.paloaltonetworks.com.au/blog/category/interview/)
* Digging Into the Data: An...

# Digging Into the Data: An Interview with Jay Jacobs -- Part I

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2014%2F02%2Fdigging-data-interview-jay-jacobs-part-i%2F)  
[](https://twitter.com/share?text=Digging+Into+the+Data%3A+An+Interview+with+Jay+Jacobs+%E2%80%93+Part+I&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2014%2F02%2Fdigging-data-interview-jay-jacobs-part-i%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2014%2F02%2Fdigging-data-interview-jay-jacobs-part-i%2F&title=Digging+Into+the+Data%3A+An+Interview+with+Jay+Jacobs+%E2%80%93+Part+I&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2014/02/digging-data-interview-jay-jacobs-part-i/&ts=markdown)  
\[\](mailto:?subject=Digging Into the Data: An Interview with Jay Jacobs – Part I)  
Link copied  
By [Brian Tokuyoshi](https://www.paloaltonetworks.com/blog/author/brian/?ts=markdown "Posts by Brian Tokuyoshi")  
Feb 19, 2014  
4 minutes  
[Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown)  
[data driven security](https://www.paloaltonetworks.com/blog/tag/data-driven-security/?ts=markdown)  
[Jay Jacobs](https://www.paloaltonetworks.com/blog/tag/jay-jacobs/?ts=markdown)  
[Verizon Data Breach Investigations Report](https://www.paloaltonetworks.com/blog/tag/verizon-data-breach-investigations-report/?ts=markdown)  
[Verizon RISK team](https://www.paloaltonetworks.com/blog/tag/verizon-risk-team/?ts=markdown)

As security practitioners, we are often called upon to dig into the details of the latest threats, but are we really seeing the big picture? What could we learn by looking at larger sets of data, and what techniques should be used to do it?

Jay Jacobs is a Principal on the Verizon RISK team, and one of the co-authors of the Verizon Data Breach Investigations Report. I think of him as a security incident whisperer, because he's been applying data science to these challenging security questions. Jay and Bob Rudis have written a book on gathering, analyzing and visualizing security data called [Data Driven Security](http://www.datadrivensecurity.info/), which was officially released this week.

Our paths first crossed many years back, and I wanted to catch up with Jay and get some of his perspectives on what he's seeing today.[](http://datadrivensecurity.info/book/)

**Brian:** Jay, what is data driven security all about?

\*\*Jay:\*\*Data driven security is about improving your ability to learn from security data. A good data-driven security program combines security expertise, programming, data management, statistics and data visualization techniques. We cover these skills in our book, and walk through several hands-on examples with real (and downloadable) data. We aren't inventing anything new here, but rather we're taking analytical techniques and practices used in other disciplines and applying it to information security.

**Brian:** Let's talk a bit about network security. [In a recent blog post](http://datadrivensecurity.info/blog/posts/2014/Jan/blander-part1/), you talk about instrumenting the data collection process by running a number of Internet-facing honeypots. These honeypots log security events that might get overlooked, such as the ports that get probed and how they trend over time. Where do you start with all of this information? Do you have a set of questions that you want to answer, or is it more like detective work to follow the breadcrumbs and see where they go?

**Jay:** The primary reason for data driven security is to use data to answer questions that will improve your learning and consequently help you make more informed decisions. It's always about answering questions. In some cases, like with the honeypot example, we want to "follow the breadcrumbs" and explore the data, and find the possibilities and limits for what the data can tell us.

Sometimes just looking at the data without an initial purpose will yield obvious results. As we learn more, we can develop follow up questions that we want to answer. For example, with the port scans in the honeypot data, we can ask and answer questions around the origin of the scans, and maybe we might make a map using geolocation of the IP addresses, but so what? What would we do with that information?

However, we could also ask something like "what services are scanned the most?" which could be used to inform our decisions around the use of default ports and firewall policies. We could even ask how often a particular service is scanned to get a sense for the exposures that we face daily.

**Brian:** One of your findings indicates that port scans aren't all the same. Some ports are scanned more frequently (by a greater number of sources) than others, and they change over time. Is there any correlation between the spikes and the publication of a specific vulnerability?

**Jay:** That's a great question and something we could research by correlating long term port scan data with specific vulnerabilities. Logically, whoever is doing the scanning is expecting something in return. If most of the scans were malicious in nature, we would expect most of the port scans go after known vulnerabilities. For example, when I first started watching traffic like this, TCP port 27977 was heavily scanned. At first, I couldn't figure out why that odd port was targeted so often. After some research, I found that the TDSS malware establishes an open SOCKS relay on that port when it infects a machine. And I found that many others were looking for that port to support click-fraud. However, these days that port barely shows up as a target port for scans.

**Watch for Part 2 of this interview on February 20.**

We'll be covering many of these subjects at [Ignite 2014](https://www.paloaltonetworks.com/content/campaigns/ignite/ignite-2014/home.html), which takes place in Las Vegas March 31-April 2. Cybersecurity Industry Best Practices is among our list of marquee session tracks, which you can view [here](https://www.paloaltonetworks.com/content/campaigns/ignite/ignite-2014/sessions.html).

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Our CIO on Why Security Must Be Built Into AI from Day One](https://www.paloaltonetworks.com.au/blog/2025/11/cio-why-security-must-be-built-into-ai/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown)

[#### Security by Design --- UX and AI in Modern Cybersecurity](https://www.paloaltonetworks.com.au/blog/2025/07/security-by-design-ux-ai-modern-cybersecurity/)

### [Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### How Apps and Your Phone Can Expose Your Life Without Permission](https://www.paloaltonetworks.com.au/blog/2025/07/apps-and-your-phone-expose-your-life/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Baby Tigers Bite --- The Hidden Risks of Scaling AI Too Fast](https://www.paloaltonetworks.com.au/blog/2025/06/hidden-risks-scaling-ai-too-fast/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### SOC and Awe --- How Autonomous Security Is Changing the Game](https://www.paloaltonetworks.com.au/blog/2025/03/autonomous-security-changing-the-game/)

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Interview](https://www.paloaltonetworks.com/blog/category/interview/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### AI-Driven Security by Palo Alto Networks and IBM](https://www.paloaltonetworks.com.au/blog/2025/01/ai-driven-security/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language