Summary
There was a lot to cover in this relatively short chapter. We learned that we need to have proper auditing and logging in place to capture events from all of our IT resources. We also learned that we need to capture logs from our third-party vendors, SaaS applications, web application firewalls, and network equipment, and pump those into a SIEM for log correlation and analysis.
We learned that we should also monitor physical hardware to ensure that it is not tampered with. This can include alarms that go off, anti-tampering seals that may have been broken, to monitoring it through CCTVs. We should also capture badge readers to determine when someone entered and left the building
Furthermore, we learned that SIEMs are tools to which we will send all our logs for analysis. This analysis is needed to understand our risks based on the events received. A SIEM is only as good as the logic built into it, so we also need rules to detect adverse events. Organizations will typically...
