One More Time on SIEM Telemetry / Log Sources …
(cross posted from Dark Reading, and inspired by a previous version of this blog)
For years, organizations deploying Security Information and Event Management (SIEM) or similar tools have struggled with deciding what data to collect inside their security operation platforms. So the dreaded question — “what data sources to integrate into my SIEM first?” lives on.
How to approach answering this?
First, using “output-driven SIEM” — the best answer to this question — covers it: SIEM collection depends on your security monitoring needs and use cases and how you prioritize them using your risks. Any popular list of top log sources aggregated from many organizations will end up being useless for organizations with different security needs and challenges!
While an output-driven SIEM approach has been known for 10+ years, many organizations are still looking for best practices in collection before they decide on how they plan to use the data. In fact, large organizations often make the decision to integrate a log source into their SIEM or SecOps platform based on factors other than the pure security necessity.
Overall, such factors often include:
- Necessity for detection
- Necessity for alert triage and incident response
- Necessity as context data for utilizing another log source
- Compliance requirements to collect and retain specific log types
- Compliance requirements to monitor this data source and/or system
- Ease of integration of the log source
- Collector and parser availability from the vendor
- Ability to actually transfer the log data to a SIEM
- Other planned log sources that compete for attention
- Data volume of the log source
F
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: