It’s relatively simple to collect logs and feed them into a system information and event management (SIEM) platform or other data analytic tool. It’s another matter to be able to monitor this information in real time. Writing rules that enable log management solutions to alert on the right events — the ones that are truly meaningful in your organization’s IT environment — isn’t easy. Nor is it easy to know which of the hundreds or thousands of alerts that these solutions generate every week is most worthy of a security analyst’s limited time and attention.
Figuring out what’s most important to pay attention to requires skill, experience, and a baseline understanding of what’s typical in an individual business’s unique computing environment. But the quality of security monitoring is arguably more important than the sheer quantity of data that’s being collected.