Mapping Use Cases to Logs. Which Logs are the Most Important to Collect?
When it comes to log collection, it is always difficult to figure out what to to capture. The primary reasons are cost and value. Of course you can capture every logs flowing in your network but if you don't have a use case to attach to its value, that equals to wasted storage and money. Really not ideal since most Security Information Management (SIM) also referred to Security Information and Event Management (SIEM) have a daily cost associate with log capture. Before purchasing a SIM, the first task that is often difficult is, what do I collect and why? We want quality over quantity. Again, what you collect has a cost, the minimum amount of time logs are retained (how many years) must be calculated because it directly related to the number of events per second (EPS) collected daily [1], how many log collector are necessary to capture what you need, etc.
Next, it is important to identify your top five use cases, based on value that can have an immediate impact with the security team. This part is often difficult to pin point because it usually isn't an exercise the stakeholders have already worked out, in the end, it must map to the use case, what do I need to capture to be successfully alerted on? When the use cases have been identified, it is time to figure out what logs are necessary to identify the threat as it happen. You may have already identified some threats based on previous incidents which can be translated into a use case.
If you are looking for some examples, Anton Chuvakin [2][3] has written extensively on SIEM and is a good place to start. The next thing to do after you have identified your five use case, determine the quality of your logs into a spreadsheet into five category; identify the log source (firewall, IPS, VPN, etc.), its category (user activity, email, proxy, etc.) , its priority (high, medium, low), information type (IP, hostname, username, etc.) and matching use case (authentication, suspicious outbound activity, web application attack, etc.)[4]. The last step is to identify the SIM that will meet your goals.
[1] http://www.buzzcircuit.com/tag/siem-storage-calculator/
[2] http://blogs.gartner.com/anton-chuvakin/2014/05/14/popular-siem-starter-use-cases/
[3] http://blogs.gartner.com/anton-chuvakin/2013/09/24/detailed-siem-use-case-example/
[4] http://journeyintoir.blogspot.ca/2014/09/siem-use-case-implementation-mind-map.html
[5] https://isc.sans.edu/forums/diary/SIEM+is+not+a+product+its+a+process/20399
-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
3 months ago
isc.sans.edu
Dec 26th 2022
3 months ago