We are constantly breaking out our computer infrastructure into smaller and smaller components. When it comes to documents and other content, we are keeping track of more information in our efforts to make the content more useable.
When considering requirements for Threat Management, it is worth thinking about these components, objects, and elements to assist in understanding which of them is worth monitoring or otherwise being aware of.
I use a slide I call the "method to the madness" slide that attempts to break out these elements (the madness) and then describes the techniques for evaluation. So, for example, traditional network IDS performs a string search (method) on one or more network packets (madness). Content filters may perform a keyword search or a URL string search (methods) on either a web page or an http request, respectively (some content filters use other techniques as well).
The goal is to first, understand more specifically what is occurring "under the covers" with our computing environment, primarily because it isn’t really under the covers – these are the new targets of hackers; and second, to more specifically evaluate threats, monitoring needs, and supporting products.