Crazy thought I know but it isn’t hard not to get caught up in that mentality. I was trying to think of a way to tell the story of resources/logs needed to be able to be able to identify sources of badness in incident response of one flavor or another. Visually I was drawing that out somewhat like IP ~ Computer Name ~ User Name all at the top level and branching under that you have various logs like DNS, DHCP, asset management, authentication, etc. All of which play a part in being able to answer questions related to what computers are infected and which users are doing ‘bad things.’ Anyway, it wasn’t until I put that down on the whiteboard that the thought hit me in that IP addresses are a supporting factor in identifying a particular computer and not equal to it. Funny what tool limitations will do to your thinking.
If none of that makes sense to anyone other than me I blame the Nyquil.
Hi there. Saw your review of the "Security Information and Event Management (SIEM) Implementation" book and googled your blog. Im trying to find a good book of correlation and/or SIEMs for the purpose of incident response. Would appreciate any recommendations u may have; maybe have identified another book or resource that u find helpful. Thanks a lot for your time.
ReplyDeleteI'm afraid I haven't found one on correlation or the use of SIEM for IR. I'm not sure there is one outside of a contract shop that might be able to help you through identifying what your use cases are and mapping those to LM and/or SIEM solutions.
ReplyDelete