Cisco: The Significance of Log Sources to Building Effective Intelligence-Driven Incident Response
Many organizations today fail in adequately acquiring the necessary visibility across their network to perform efficient and effective Incident Response tasks, one of which is Intelligence-Driven Incident Response; defined as driving intelligence mechanisms to dig deeper into detecting, containing, and eradicating the latest cyber threats. Occasionally, adversaries may leave evidence on compromised devices which may be helpful for identifying Techniques, Tactics, and Procedures (TTPs) of value for attribution of an attack to a particular group, association, or individual; which allows responders to identify additional affected systems and pursue further leads. Such critical components to threat intelligence include Indicators of Compromise (IOCs), but are not limited to: file names, file paths, hash values, IP Addresses, Uniform Resource Identifiers (URIs), and common tools used by known individuals or groups.
Organizations often struggle in achieving this next-level of proactiveness without the precise logs required to investigate thoroughly. Many organizations simply can’t ingest every single log type from each technology used within the organization, furthermore are typically limited to the number of Events Per Second (EPS) into a central log aggregator or Security Information and Event Management (SIEM) product, whether it’s a bandwidth constraint, limitation of the product or even a license issue. While some enterprises may be fortunate enough not to have such technological limitations, others may simply not have the man power or expertise necessary to provide efficient and effective monitoring and detection. Whether this is a resource deficiency or absence of skill, some organizations tend to ingest as many logs as they can, and then leverage use of these logs when an incident arises in an attempt to conduct a thorough investigation and response.
Read the entire article here, The Significance of Log Sources to Building Effective Intelligence-Driven Incident Response
via the fine folks at Cisco Systems.