While most enterprises have come to terms with the fact that a security incident is not a factor of “if,” but rather “when,” many are still struggling to translate this into the right security architecture and mindset. FireEye’s Cyber Trendscape 2020 report found that the majority (51%) of organizations do not believe they are ready or would respond well to a cyberattack or data breach.
Source: 7 signs your cybersecurity is doomed to fail in 2020
3. You’re drowning in data
I absolutely agree. Aside from the statement of having the right tools, the cybersecurity department should have personnel with hands-on technical experience to know what they don’t need to see. Almost all of my experience I’ve been working Cyber Security professionals that state they need to have off-host secondary log aggregation of EVERYTHING. While I understand their justification as to why, it’s quite looking for a needle in a stack of needles when they investigate an event. It often results in their “tasking” of the systems administrators to look in the logs to find evidence. Which from my understanding is not their responsibility. Those with sufficient experience in working with logs understand that you’re not looking for something specific in logs. You’re looking for something that’s unusual. They refer to this in CompTIA CASP as anomaly’s. But, one does not know what is anomalous unless they have sufficient technical experience in troubleshooting the system that generates the logs.
When it comes to log review and depending on on what platform you’re using; i.e. Splunk, you should derive a way to filter out regex strings that you don’t need to pay attention to. For example filter out all successful logins on all systems unless the username is “root” or UID is “0”.
