The goal is to get to this ‘end’ state where we’re importing information/events from all the categories on the left. The goal is to take this data and wrap intelligence around it so that we’re not drowning in a sea of useless alerts.
How To Avoid Drowning? Export & Import Limiting
a) Export Limiting: manually analyze the flows that you need and program them at the device level so that the device is only exporting information that you want. b) Import Limiting: churn through all the data and select only the relevant data to display to the analyst.
Relevance and Practicality: Use Your Brains
Who isn’t drowning in data? Everyone is. And no, the answer isn’t a magical wand called ‘big data’ (though that could be a part of the solution).
Can you export every single log? Unless you’re Google, most likely not. Make a decision about what logs to look at. Look at the logs that span the entire stack (router, server, app layer: web log, event log, specific log, etc.) you get the story.
Even if you could export every single log – you still need to work out what’s relevant in that pile of noise. You cannot escape intelligent analysis/systems view.