Yesterday my kids went to the pool. With that as the background here is a snippet of conversation between my 8 year old son and me.
Son: These Doritos chips taste hotter than normal.
Me: Are your lips chapped?
Son: ...no...my tongue is on fire!
What does that have to do with SIEM stuff? Not a thing but I find the story funny as crap. That is right up there when I asked him years ago how much he had just thrown up; he said "10." He and I did have a conversation the other day though that was slightly more relevant and has led me to the following analogy.
Which of the following numbers is bigger? 2 or 5
An under defined mission or strategic goal at the conceptual level is bad enough in its own right. Many times though it doesn’t really come out how under defined it is until you try to tactically implement. Random example - a compliance or best practices “monitor failed logins.” This is further complicated when the hoped for/requested outcome is either a binary yes/no (eg., is this a threat?) or some sort of traffic light indicator which too often has its own undefined indicator thresholds.
Relevant to SIEM content creation, this isn’t to say something can’t be accomplished. In many cases you make a call on a process step, monitor, and adjust fire – rinse and repeat as needed. What I do think is interesting with ArcSight vs perhaps a more point specific and focused solution is I see it more of a blank canvas. I guess in my mind’s eye the out of the box content in a more focused solution is likely to be more honed. Well, if not “honed” the thresholds were set by someone else, assumed to be correct or good, and you just click the button to generate a report. Am I wrong here?
Who knows. Maybe I am just too worried on whether or not something critical will be missed since I am the one who has to define what goes into an output ;)
No comments:
Post a Comment