Log collection and management strategy is one of the most important decisions an organization can make as these logs provide pertinent event data that is used to identify potential compromises from external and internal threat actors, as well as organizational policy violations. For this week’s discussion board posting, I want you to respond to the following questions:
1) What are some log collection/management considerations that an organization might need to bear in mind?
2) Do log files unto themselves provide an organization with complete visibility into what’s occurring on the organization’s network or to support internal investigations? If not, what other data sources might you think would provide enrichment to the existing data set?
3) Research centralized security incident and event management systems. Provide a summary of the features they contain and provide your assessment on how these features can be used by an organization (SOC analyst, threat hunting team, or incident responder) to help support investigations? Are there any particular features that might be useful to help with regulatory compliance reporting?
As always, please provide citations when applicable.