Logs and SIEM management
Log management: first brick of the detection system.
Before detecting such attacks and knowing how to react to a complex set of events, a step-by-step approach should be put in place:
– Activation of the journalization on the devices ;
– Creation of a logs well ;
– Setting up alerts units ;
– Realization of event correlation.
The first step, which may seem the simplest, is often the most tedious and the most complex to perpetuate. This often depends on different teams and new equipment that also needs to be integrated and that appears every day. The reliability of this first step is a crucial point to obtain the expected result with the capture of attack scenarios increasingly sophisticated.
Once logging is activated, you then need to create the log pool to collect and centralize the events in a dedicated storage space. This storage space must be sized accordingly with a volume of data that tends to increase very rapidly over the years.
These data must be treated with the utmost care as they are considered personal data as soon as login details are recorded. It is then necessary to calibrate its retention and access policy for both storage and archiving.
It is on the basis of this well of logs that a set of so-called “simple” alerts without correlation can be built in a first step, and then, in a second step, the implementation of these correlation functionalities. For more efficiency, it is more and more recommended to implement rules of correlation in connection with the framework . MITRE ATT&CK Matrix which is recognized today as complete and regularly updated.