I like to brag about my background in data management. I should really work on being humbler in this respect because I understand databases have changed a metric ton since I last picked up any real database administration. Now that we have that out of the way, managing data makes me incredibly useful with Information Security, and I didn’t start realizing this until more recently as I’m doing a lot of work around events, correlation, and looking at relationships between systems that aren’t integrated with each other (although they could and should).
What’s a data dude to do when all these systems aren’t integrating, and we’re getting overloaded with all the data because we can’t establish a baseline? I have a gigantic internal conflict happening at the moment. In every talk I’ve done over the past couple of years, I’ve discussed not doing exactly what I’m about to say, but we only live once, so screw it. Log the hell out of everything you can possibly find on your network. Dump it all into whatever you can dump it into and start working to get your normal baseline. This might not work everywhere, but it’s horrendously important when walking into a new environment because it’s the fastest way to find the normal. Weed through that normal, and then begin your behavioral plans.
Eventually, you will get that baseline, and you will need to start blocking things. That’s going to be scary as hell, but trust me, it will not be as bad as it seems as long as you’re working your ass off to work through issues immediately and do not drag your feet in the process. You will only lose credibility that way (you lose your credibility with IT ops and your life just became hell), so bite the rollout bullet and make it as smooth as possible, knowing there’s going to be those lumps. Plan for them, so you can compensate that week / month of being overworked with some type of supplemental time, so your employees are able to decompress.
Coming soon, we’re going to look at ways to get at the data, and start turning that into some actionable items you can work through so you can eliminate false positives and look for things in the areas you should be looking and not chasing a ghost in the house of mirrors.