Active Directory, Cloud Security, Firewall, Blue Team

What Security Data Do I Really Need to Collect and Analyze?

October 27, 2020
  • You do not need all of the data. What data to collect should be based on three key criteria:
    • Maturity of your security program. If you’re still early in your program maturity, you definitely don’t need all of the data.  Start with the basics.
    • Cost of collecting the data. Not all data costs the same to collect and store.  Active Directory logs are quite easy, while network packets can be quite costly.
    • The value you can extract from the data. Adding additional threat intelligence sources doesn’t necessarily improve the value of that data set.
  • Paul’s enchanted quadrants is a good staring point. Focus on the basics, usually in this order:
    • Logs (Network, DNS, Applications, etc.)
    • Endpoint (Logs, Processes, Files, etc.)
    • Network (Flow, Packets, etc.)
    • Threat Intelligence
  • Ask the following questions to know if you should collect the data or not:
    • How much is it to collect and store?
    • What can you do with the data once you collect it?
    • Can you collect enough of the data to make it valuable?
prestitial ad