I am as usual running well behind my reading, but this is one thing that you really shouldn’t miss. Anton Chuvakin posted a bit back about his latest paper (that is behind a sign-up wall, but worth the hassle). Logging is that boring thing that people tackle now and again and more often than not give up after bashing head against the wall. Anyone remember Marcus J. Ranum’s efforts together with Tina Bird? Anyone? Anyone?Anyway, without further ado - go read this. Great stuff. “The Complete Guide to Log and Event Management”
This paper is the first document that formulates “graduation criteria” for such development. Organizations that graduate too soon will waste time and effort, and won’t any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves.
Your organization might need to go “back to logging school” before it is ready to “graduate to SIEM.” Such graduation requires an ability to respond to alerts and customize and tune products.”
Learn to walk before you can run. Sadly too many organisations dive head in and then realise they really should learn to swim first.