Data Source Prioritization in Helix

In this installment of the Tips and Insights series, Todd Bane explains data source prioritization options with your Helix deployment. This will help you and your team maximize the value of the data sources that you feed into Helix.

Hi I’m Todd Bane and I’m a Technical Initiatives Manager here at FireEye’s Deployment and Integrations group. I’d like to take the opportunity today to talk about data source prioritization with your Helix deployment. This will help you and your team maximize the value of the data sources that you feed into Helix in order to satisfy the business use cases and objectives you’ve outlined for your Helix implementation. There are many use cases that can be applied to the data sources that you on-board into Helix depending on your business objectives. They can satisfy either detection, investigative or hunting purposes. Understanding your organization’s business objectives and goals with Helix will help you select the data sources accordingly to help achieve those business objectives. The value of the different types of log sources that you on-board within Helix will help drive those use cases in order to accomplish those goals. Avoid on-boarding unnecessary log sources that may not return value according to those business objectives and use cases. This will help maximize the monetary value and the detection and use case efficacy within your Helix deployment. Log sources can also be applied against the Mandiant Attack Lifecycle in order to gain insights into threat detection based activities depending on the available log sources within your organization’s infrastructure. Common data sources that can be on-boarded into Helix are as follows. Perimeter and Network Controls. Authentication based log sources. Host and Server application. Deep Analysis Tools. Cloud Infrastructure and other types of third party applications that may be industry vertical specific. Depending on the use cases your organization is trying to satisfy you would want to choose appropriate log sources that help enrich and provide value to the use cases that you’re ultimately trying to achieve. Selection of these sources can align to the detection, investigative and threat hunting based use cases which may align also to either security based, compliance based or operationally based use cases. Over the years of deploying Helix and threat analytics we have identified critical data sources that we would recommend to any organization to on-board as part of a prioritization effort. Third party security platforms, DNS, Web proxy, Firewall, Endpoint, DHCP, Windows and Linux server or workstation process tracking, and other network access control events would be in the list of priority critical data sources. FireEye recommends taking a prioritization of outside inwards in regards to network infrastructure in order to prioritize the data sources that are on-boarded into Helix. Starting at the perimeter Evidence Collector based metadata,web proxy, Firewall/NAT, DNS, Remote Access and Security Tools would be the first priority data sources that you would on-board into Helix. Next in prioritization would be network access.

IIS and Apache log based authentication logs, web server remote access, SSO, NAC, Active Directory based authentication logs and DHCP logs would help satisfy this prioritization. Next,host, for Windows and Unix based events and Active Directory events. And finally, data. Database logs, Unix and Windows file access logs and file integrity monitoring would be the final prioritization for data sources to choose to on-board into Helix. The demonstration you just saw is a brief summary for how FireEye goes about prioritizing data source and log source ingestion into Helix platform in order to satisfy business objectives and use cases in accordance with compliance, security and operational use cases. Stay tuned for more tips and insights here at FireEye.

Scroll to Top