The easy stuff is for wussies – how about I dedicate my time to creating a structured approach for deciding which monitoring technology to use under various circumstances? For example, a SIEM can be used to monitor a database for security issues using native database logs; or you can use a DAP tool. Similarly, firewall logs fed into a SIEM can sometimes work for monitoring anomalous network connections, in other circumstances a NIPS or even an NBA may be a better choice.
So here’s what I’m thinking about: can we build a decision tool that works like this:
Decide WHY = think attacks, privileged user activities, resource access [regulations define some of the WHYs for you, but won’t be explicitly mentioned here]
Pick WHAT = think databases, files, entire systems, connections, data in various forms, etc
Get the best 1-2 technology choices for each set of circumstances.
Realistic? Worth doing? What do you think?
P.S. This decision tool will intentionally avoid answering the “Why?” question for you (this is done elsewhere when risk related activities are undertaken) and also will focus on technology choices (leaving operational processes to be established separately).
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.