blame it on you for the false positives
TRANSCRIPT
Blame it on YOU for the false-positives!
Alex TeixeiraSenior Security Practitioner
The #1 mistake Security vendors make is thinking we want more. We want less. I don't want 90,000 events a day; I want the 3 actionable ones.”
“
Security Analyst of a famous startupTwitter, March 2016
Less false-positives &More high-fidelity alerts.
SecMon = Core capabilitySkills gap/shortageBad UX = Unattended alertsHunting entry-point
Image source: ThinkGeek
Go beyond the canned content.
Go fully custom!
Define an initial scope• Main driver for:– Data collection requirements– Rules development roadmap
• Start with your Security Arsenal– Quick wins & low hanging fruits– Clear red flags
• Aggregate by host (target/attacker)• Summarize key fields and drill-down further• Anticipate analyst’s call (recurring actions)– Whose server is this? Who is this user?
Handling Exceptions• Key part of operations• Policy driven approach for on-going, every-day
cases (who, when, why) – with expiry date• Whitelisting ‘admins’ is NOT an option
Threat Intel != Signature• Context!• Enrichment!• Threat Hunting practice!• Alerting on every match
against the event stream = ∧FP rate
Blame it on your bo$$!• Minimizing FPs is directly tied to your team’s
skills and ability to: – Scope, design, deploy, develop & fine-tune rules
• A platform with development-appeal is at the core of the solution, but you need people.
• Less Silver Bullets, More Golden Minds
Blame it on me!
@ateixei
foren6.wordpress.com
linkedin.com/in/inode
Images source: Tidydesign