For a small/medium business it is very easy to be overwhelmed in infosec. Need to move fast when there is a potential problem but also everything needs to be organized and have a process and flow.
It is great that we have SIEM technology that allows us to see all of our logs in the same place. But these thousands of details are also a major headache. It looks like nonsense and you want to just ignore and move on but also know that they may be important in helping to detect a threat.
Similar to the 12 step AA program. First step is to define the honest truth of your environment. Create a baseline of where you are at now, map for improvement.
Slowly document and start to tune, add agents and improve. Small things can make a huge difference.
Daily. Needs to be done. Again, this does not need to be crazy, just a little effort each day.
Define your severity level. Make these notable and it is not about what IP address but what event occurred and what asset this IP address was a part of.
Most importantly "Don't Give Up"! Your security posture matters. Hire help with Managed Security Services or get additional staff and follow a simple process.
May 26, 2017