Security Analytics and SANS Top 20 Controls
I just found a document that mapped the SANS top 20 controls to another big name SIEM vendor and it got me thinking, has anyone mapped the SANS Top 20 controls to their Security Analytics deployment?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I recall doing something like this a while back. It is certainly possible, but is highly dependent on the log sources to get the information. Grabbing firewall logs and parsing through those is relatively straight forward. Antivirus logs as well. Windows logs will certainly provide a wealth of insight but if organizations only focus on server logs, then thats the only visibility they would have. Kerberos logs from Active Directory are nice, but sometimes, you need the logs from endpoints too.
Ultimately, I feel much of this is achievable. Netwitness would just need the data fed into it. Once the data sources are there, it's a matter of going through and understanding the data for the organization.