Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Alert Fidelity Measuring Detection Quality - march2019

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Cargando en…3
×

Eche un vistazo a continuación

1 de 13 Anuncio

Alert Fidelity Measuring Detection Quality - march2019

Descargar para leer sin conexión

Some thoughts on how we can measure detectors within SOC/MDR. Alerts that ship with SIEM's (canned alerts) are generally of poor quality, but what are some metrics we can use to measure the quality of a detector.

Some thoughts on how we can measure detectors within SOC/MDR. Alerts that ship with SIEM's (canned alerts) are generally of poor quality, but what are some metrics we can use to measure the quality of a detector.

Anuncio
Anuncio

Más Contenido Relacionado

Más reciente (20)

Anuncio

Alert Fidelity Measuring Detection Quality - march2019

  1. 1. ALERT FIDELITY NVIEW MDR MARTIN POTGIETER - MARCH 2019
  2. 2. ALERTS [DETECTORS] {RULES} (WATCHERS) WHAT ARE
  3. 3. ALERTS STATUS QUO CANNED
  4. 4. QUALITY ALERTS REDUCE DWELL TIME SHORTER DWELL TIME REDUCES BUSINESS IMPACT
  5. 5. DWELL TIME AVERAGES FIREEYE M-TRENDS REPORT 2018 Average global dwell time decreased from 101 to 78 days in 2018
  6. 6. HOW DO WE MEASURE IT? WHAT ARE SOME ALERT METRICS 0 9 18 27 36 SIMPLICITY CERTAINTY RESILIENCY RELEVANCY
  7. 7. THIS IS AN “EDWARDS-VENN” DIAGRAM IS THERE A RELATIONSHIP BETWEEN THE METRICS? Sweet Spot?
  8. 8. RELEVANCE RELEVANCE IS NOT SO OBJECTIVE
  9. 9. LETS LOOK AT SOME REAL ALERTS
  10. 10. LETS LOOK AT SOME SAMPLE ALERTS PASSWORD SPRAY ATTEMPT DETECTED ▸ Looks at failed logons with multiple usernames. SIMPLICITY CERTAINTY RESILIENCY RELEVANCY 0 2,5 5 7,5 10 Rarely triggers falsely, Unlikely to not trigger. No AI required here - AD audit requirements Great resiliency, but can bypass with time. 100% relevant - common method to guess passwords.
  11. 11. LETS LOOK AT SOME SAMPLE ALERTS SPIKE IN 400 ERRORS ON WEB APPLICATION ▸ Looks for a dramatic increase in HTTP 400 Errors. SIMPLICITY CERTAINTY RESILIENCY RELEVANCY 0 2,5 5 7,5 10 This one is kinda noisy, some false positives. No AI required here. Simple measurement Web Apps are common targets. Fairly Resilient
  12. 12. LETS LOOK AT SOME SAMPLE ALERTS MULTIPLE UNIQUE LOGONS FROM SAME SOURCE ▸ Looks for multiple user accounts from same source. SIMPLICITY CERTAINTY RESILIENCY RELEVANCY 0 2,5 5 7,5 10 NOT! Not too complicated, but needed tuning. Nothing to measure against. Somewhat - if it worked.
  13. 13. IN CLOSING TAKE AWAYS ▸ Alert quality matters. ▸ Tune but don’t tune out. ▸ Chuck bad alerts out. ▸ Relevancy - Important but requires maturity

×