Organizations require robust asset identification to ensure effective cybersecurity strategies. However, defenders need to go beyond asset inventories in the traditional sense and develop and utilize an internally focused collection management framework to enable incident responders and security operations staff who must prepare for and conduct investigations into adversary activity in their environments.
A collection management framework (CMF) is a structured approach to identifying data sources and what information can be obtained from each source. The concept of collection management is rooted in intelligence work. In the intelligence field it is routine to identify requirements and then determine where sources exist to collect information to satisfy those requirements. Various styles of collection management exist and can incorporate attributes such as a reliability rating of the data and measurements of trustworthiness, accurateness, and completeness. An important concept in collection management is developing an effective framework to meet the requirements of the analyst as it relates to collecting data and producing information from it; not necessarily subscribing to others’ exact models.
The related webinar “Using a Collection Management Framework for ICS Security Operations and Incident Response” can be accessed here: https://www.dragos.com/resource/using-a-collection-management-framework-for-ics-security-operations-and-incident-response/