Blame it on YOU for the false-positives!

Alex TeixeiraSenior Security Practitioner

The #1 mistake Security vendors make is thinking we want more. We want less. I don't want 90,000 events a day; I want the 3 actionable ones.”

“

Security Analyst of a famous startupTwitter, March 2016

Less false-positives &More high-fidelity alerts.

SecMon = Core capabilitySkills gap/shortageBad UX = Unattended alertsHunting entry-point

Image source: ThinkGeek

Go beyond the canned content.

Go fully custom!

Define an initial scope• Main driver for:– Data collection requirements– Rules development roadmap

• Start with your Security Arsenal– Quick wins & low hanging fruits– Clear red flags

• Aggregate by host (target/attacker)• Summarize key fields and drill-down further• Anticipate analyst’s call (recurring actions)– Whose server is this? Who is this user?

Handling Exceptions• Key part of operations• Policy driven approach for on-going, every-day

cases (who, when, why) – with expiry date• Whitelisting ‘admins’ is NOT an option

Threat Intel != Signature• Context!• Enrichment!• Threat Hunting practice!• Alerting on every match

against the event stream = ∧FP rate

Blame it on your bo$$!• Minimizing FPs is directly tied to your team’s

skills and ability to: – Scope, design, deploy, develop & fine-tune rules

• A platform with development-appeal is at the core of the solution, but you need people.

• Less Silver Bullets, More Golden Minds

Blame it on me!

@ateixei

foren6.wordpress.com

linkedin.com/in/inode

Images source: Tidydesign