TaoSecurity: What Do You Investigate First?.
Richard Bejtlich offers the obvious, but usually difficult to implement answer to the following question:
Let’s say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?
Bejtlich offers two answers which generally converge into one: focus on assets, i.e. the most critical assets in your organization.
Ideally, the log, flow, event collection and analysis system you are using has the ability to discover all network attached assets and then enable you to group them into IT/Business Services. The you can prioritize your focus based on the criticality of each IT/Business Service.