The easy stuff is for wussies – how about I dedicate my time to creating a structured approach for deciding which monitoring technology to use under various circumstances? For example, a SIEM can be used to monitor a database for security issues using native database logs; or you can use a DAP tool. Similarly, firewall logs fed into a SIEM can sometimes work for monitoring anomalous network connections, in other circumstances a NIPS or even an NBA may be a better choice.
So here’s what I’m thinking about: can we build a decision tool that works like this:
Decide WHY = think attacks, privileged user activities, resource access [regulations define some of the WHYs for you, but won’t be explicitly mentioned here]
Pick WHAT = think databases, files, entire systems, connections, data in various forms, etc
Get the best 1-2 technology choices for each set of circumstances.
Realistic? Worth doing? What do you think?
P.S. This decision tool will intentionally avoid answering the “Why?” question for you (this is done elsewhere when risk related activities are undertaken) and also will focus on technology choices (leaving operational processes to be established separately).