Prioritization of Log source Integration

There are so many devices which are available in a customer environment. Depending on the size of the customer the number of device count in the data center and branch location is on a higher side. Inorder to integrate so many devices definitely the log volumes will be higher which will increase the cost to analyze and store the logs for 1 year minimum. Are we really getting any value by integrating all the sources. Is there any device prioritization which can be considered depending upon the Risk associated with the log sources and accordingly the decision can be taken on prioritization the device log sources which needs to be integrated in DNIF.
When we need to integrate multiple locations devices log sources (Hybrid Model) connecting multiple datacenters and their branch locations for a customer, what is the infrastructure connectivity model recommended by Dnif in a shared model setup

Hey Bhaskar,

There are 3 concerns which I am to understand to summarise:

  1. Priority of onboarding log sources.
  2. Managing and monitoring log sources from different locations/sites.
  3. Managing and monitoring log sources from different customers.

For each of these, below are some suggestions:

  1. Priority of onboarding log sources.

It is ideal to start with log forwarding from the basic end points like Windows and Nix devices, and take it forward from there to onboarding logs related network, security, application, etc. I would suggest you have a look at the list of extractors available and roadmap to check and onboard these sources first.

As a control in terms of log volume from these devices, I would suggest you control or filter them either at device level or use PICO

  1. Managing and monitoring log sources from different locations/sites.

You can have PICOs deployed at each locations to collect and forward logs to Adapter at your central site.

  1. Managing and monitoring log sources from different customers.

I think the best fit here is a MSS setup, as this will empower you to do centralised collection and monitoring.

Iā€™d play it a little differently, the MTIRE ATT&CK is a good benchmark to follow when figuring coverage to threats out there, also the corresponding log sources to be integrated.

Here is are two approaches I would suggest
1 - review the tactics and techniques in the MITRE ATT&CK framework and figure the most probable threats or techniques that will likely be used in your environment and then figure the log sources required to detect the use of those techniques.

2 - DNIF provides an interface where you have all the detection workbooks laid on top of the tactics / techniques on the ATT&CK framework, here if you switch on the streams view you will find the correlation between log sources and techniques used. Prioritise your log sources based on the number of techniques it can cover, said differently pick ones that will cover the largest number of techniques.


1 Like