Strategy 7: Exercise Discrimination in the Data You Gather
9.1 Sensor Placement
- Passive network sensors, including general-purpose NIDS
- Active network sensors: NIPS and content detonation devices
- Application-specific protection appliances (XML, database, etc.).
9.2 Selecting and Instrumenting Data Sources
Drivers for collection of IT security log data:
- Computer network defense
- Insider threat monitoring and audit collection
- Performance monitoring
- Maintenance troubleshooting and root-cause analysis
- Configuration management.
User attribution is hard. Attaining probable or confirmed connections to people’s actions is a big part of running incidents to ground.
Don’t log just the “denies”; the “allows” are often just as important.