The goal is to get to this ‘end’ state where we’re importing information/events from all the categories on the left. The goal is to take this data and wrap intelligence around it so that we’re not drowning in a sea of useless alerts.

siem_graphic

How To Avoid Drowning? Export & Import Limiting

a) Export Limiting: manually analyze the flows that you need and program them at the device level so that the device is only exporting information that you want. b) Import Limiting: churn through all the data and select only  the relevant data to display to the analyst.

Relevance and Practicality: Use Your Brains

Who isn’t drowning in data? Everyone is. And no, the answer isn’t a magical wand called ‘big data’ (though that could be a part of the solution).

Can you export every single log? Unless you’re Google, most likely not. Make a decision about what logs to look at. Look at the logs that span the entire stack (router, server, app layer: web log, event log, specific log, etc.) you get the story.

Even if you could export every single log – you still need to work out what’s relevant in that pile of noise. You cannot escape intelligent analysis/systems view.

 

 

 

Advertisements