Thanks, I didn't write up the Case Study just posted it because I personally had been digging through my windows logs trying to figure a problem out when I posted that out of frustration.
Because when you stop and think about the DLP potential from just 1 device, or not monitoring and catching things quick enough heading out the front door via encrypted DNS query's, you do start to realize why they say the average breach is almost a year before it is recognized. Then you have to determine how they got in, what is missing or altered, have they gone lateral, are there any back doors or other footholds to let themselves right back-in.
I worry about the SMBs and CUs that might not have a SIEM in place yet or have the capability to configure, tune, and monitor it. They say that 95% of the US economy are SMBs for instance "they say" that the focus is on medical records for now, etc... How large is your primary care physician's IT staff? InfoSec Staff? Get's your attention.
Thanks for the positive feedback and keep those doors locked and ports battened down looks like a "Hard Rain's a going to fall."
Before we see sunshine all the time. :-)