The conversation in a meeting the other morning led to a thought…well more of an analogy really. It struck me that in some respects a SIEM/LM analyst or content creator is similar to an auditor. What I mean is you have groups of people devoted to keeping lights blinking be that AV, endpoint management, FW, etc. And then you have groups of people outside of care and feeding group(s) that try to distill value out of either those systems’ configuration or logs to some ends leveraging some other toolset be that specific or multiple compliance requirements or SIEM/LM tools. Auditors and SIEM/LM analysts (at least the tools they use) are sort of a force multiplier in a very loose algebraic sense:
(Various Systems) x Audit = Compliant
(Various Systems) x SIEM/LM Content Engine = Events of Interest
Now I’m sure we all have some story about some auditor who was clueless technically. Its like a right of passage or something. These folks have a background in a particular governance to include (hopefully) a grasp on what it is you are really trying to accomplish at a meta level. The challenge is each system is different and how you technically implement the controls often isn’t defined. From “our” perspective we are trying to take conceptual use cases and technically implement them with logs or fuse a collection of disparate logs to identify whatever it is we want to identify.
So now you throw on the question of “what training do you want”? That is where I was trying to go in my last post. Certainly if you are new to your solution or need additional training with it that is the best place to start. After that my thought is training on WHAT to look for if you can find training that contains some condensed information.
Ok. I thought you were referring to something on my site that I clearly don't have
ReplyDeleteAnalyst Training