Member-only story
Threat Detection Bad Trips: Log Everything!
Alright, this is a public service for SIEM engineers. How many times you've heard that answer when someone asks 'What should be logged?' and how hard is it today to predict the outcome of over-logging?
Disclaimer: all opinions here are applicable to enterprise, corporate environments only. That's where most of my experience comes from. It doesn't apply to SMBs or military environments, for instance.
Know your recipes
When you go shopping for ingredients to make food, you typically have an idea of what you want to prepare because you already know your recipes.
You may be able to slightly change your mind in case you find a promotion or a super fresh ingredient you were not counting on initially. That’s fine.
However, if you are cooking for a large group of people, it is likely that you plan ahead by determining which dishes you will prepare and what ingredients you will need to fulfill the requirements.
You guessed it correctly! How can I define what needs to be logged if I don’t know the detections/indicators, reports and other use cases for those logs?
Rotten potatoes or unattended, untouched logs?
Where has it started?
There are two common answers in consulting engagements you should be very familiar with, even if you are just starting a career:
- It depends.
- Define (or give me) the requirements.
Regardless of the case, you know you are in for some research and much work before figuring out what actually needs to be done.
Needless to say, in case someone hasn't decided to follow the rabbit hole, that's likely when Log Everything pops up.
Vendors love that take, BTW!
Whether you realized logging everything is not a good idea because the system was overloaded or because most logs doesn't provide any value for threat detection, one thing is for sure: you are paying the bill.
Some SIEM vendors still charge per data ingestion, which means it's not something they will easily oppose. You need more inputs.
There are many talented sales teams who know how to balance that (value focus), but in the end of the day, they all need to meet their target$.
