Mapping Use Cases to Logs. Which Logs are the Most Important to Collect?

Published: 2017-06-17
Last Updated: 2017-06-17 01:10:34 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

When it comes to log collection, it is always difficult to figure out what to to capture. The primary reasons are cost and value. Of course you can capture every logs flowing in your network but if you don't have a use case to attach to its value, that equals to wasted storage and money. Really not ideal since most Security Information Management (SIM) also referred to Security Information and Event Management (SIEM) have a daily cost associate with log capture. Before purchasing a SIM, the first task that is often difficult is, what do I collect and why? We want quality over quantity. Again, what you collect has a cost, the minimum amount of time logs are retained (how many years) must be calculated because it directly related to the number of events per second (EPS) collected daily [1], how many log collector are necessary to capture what you need, etc.

Next, it is important to identify your top five use cases, based on value that can have an immediate impact with the security team. This part is often difficult to pin point because it usually isn't an exercise the stakeholders have already worked out, in the end, it must map to the use case, what do I need to capture to be successfully alerted on? When the use cases have been identified, it is time to figure out what logs are necessary to identify the threat as it happen. You may have already identified some threats based on previous incidents which can be translated into a use case.

If you are looking for some examples, Anton Chuvakin [2][3] has written extensively on SIEM and is a good place to start. The next thing to do after you have identified your five use case, determine the quality of your logs into a spreadsheet into five category; identify the log source (firewall, IPS, VPN, etc.), its category (user activity, email, proxy, etc.) , its priority (high, medium, low), information type (IP, hostname, username, etc.) and matching use case (authentication, suspicious outbound activity, web application attack, etc.)[4]. The last step is to identify the SIM that will meet your goals.

[1] http://www.buzzcircuit.com/tag/siem-storage-calculator/
[2] http://blogs.gartner.com/anton-chuvakin/2014/05/14/popular-siem-starter-use-cases/
[3] http://blogs.gartner.com/anton-chuvakin/2013/09/24/detailed-siem-use-case-example/
[4] http://journeyintoir.blogspot.ca/2014/09/siem-use-case-implementation-mind-map.html
[5] https://isc.sans.edu/forums/diary/SIEM+is+not+a+product+its+a+process/20399

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

1 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives