A logging maturity and decision model for the selection of intrusion detection cyber security solutions

Many modern cyber attack techniques cannot be prevented. Logging and monitoring, however, offer a means to at least detect these techniques early, and therefore become increasingly important for defense. Many companies are unfortunately reluctant to invest more in cyber security logging and monitoring or hire additional security staff to operate detective solutions. There is a need for a methodology to pick appropriate cyber security solutions from the vast pool of available products. Our model takes requirements mandated by common standards from ISO, NIST, BSI and the like into account. While standards and guidelines remain at a high abstraction level and are applicable to different organizations over a long period of time, guidance on implementation becomes outdated comparatively quickly. We propose a novel logging maturity and decision model for the selection of the best fitting cyber security solutions for an organization. The novelty is that this model accounts for constraints in the selection process, such as cost, complexity, compliance, and relevance to the organization's assets. We validate the model with MITRE ATT&CK framework data and apply it to illustrative use cases based on our survey.