When deciding which logs to collect and feed into Blumira for threat detection & response, the main factor is this: what are the critical components of your network? What are the critical components of your business? These data sources MUST be given top priority. There are some systems critical to any enterprise, for instance:
Your next-gen firewall and IPS. Collecting and analyzing your Firewall & IPS logs are a proactive way to detect attempted invasions before they materialize, and take corrective action. In cases where the attack has been successful, you need to know about it as quickly as possible.
Your Endpoints/Advanced Endpoint Security Solutions. These logs can provide greater visibility to detect advanced attacks and insider threats via real time endpoint monitoring.
Your Domain Controller. This is important as it will allow you to view and analyze the actions of users’ network activity. Suspicious activity can then be detected and halted.
Your key application and database servers. If any unusual or malicious activity is occurring, it should be also detectable here.Your Web Servers that are exposed to the internet. Web Server vulnerabilities has been the downfall of many otherwise-secure enterprises. Companies have been burned by depending solely on their firewalls for protection. Your database should employ use the vendor-recommended security measures, and its logs should be monitored regularly.
Companies must identify the key elements of their data infrastructure, the elements that provide life or death criticality. Most importantly, not every company will have the same answer. If you’re running an e-commerce company, for example, logs from your web server and your payment systems are critical. If you’re a financial services company, any attempted intrusion into any of your customer records is a major threat, and data from any system connected to your customer records must be collected and analyzed in as close to real time as possible. Third party payment processors must make sure their systems are meeting the latest PCI requirements. Healthcare providers must make sure they comply with HIPAA privacy mandates.