Security teams still need to rigorously evaluate these alerts to alert humans ONLY when necessary .
Endpoint compromise can also have impact – having capable monitoring and alerting on endpoint activities that might indicate compromise is also a critical log source .
The key takeaway from this is there is no end to tuning , but the longtail of tuning gets more and more manageable over time as you focus on the most important alerts first .
editor ’ s question
?
lert fatigue is a
A real thing but is an indication of alerting sources being at the beginning of the alert tuning journey . Getting our alerts tuned is an endless battle for most security teams . Without a clear prioritisation and direction for tuning alerts , security operations teams will continue to be in an alertingparalysis phase until there ’ s a clear path out .
Many security teams focus first on getting all log sources consolidated into a SIEM . From there , they focus on generating events to alert a human when things need additional review to determine if the alert should be investigated further as a security incident . At scale , this journey takes a lot of effort and human power . In many cases , tools exist with out-of-the-box alerts that can be applied to certain log sources to kick-start the alert-tuning process . Even with these capabilities , security teams still need to rigorously evaluate these alerts to alert humans ONLY when necessary and this takes a while .
Security teams still need to rigorously evaluate these alerts to alert humans ONLY when necessary .
A strategy to help here is to start with the most important log sources and
Endpoint compromise can also have impact – having capable monitoring and alerting on endpoint activities that might indicate compromise is also a critical log source .
alerts first . For example , an account compromise for an administrator user on your identity provider or cloud service provider could have dire , nigh company-
MATT HILLARY , VP SECURITY & CISO , DRATA ending consequences . Focus on getting those logs and alerts ingested , tuned and sent to your security team first . Endpoint compromise can also have impact – having capable monitoring and alerting on endpoint activities that might indicate compromise is also a critical log source .
The key takeaway from this is there is no end to tuning , but the long-tail of tuning gets more and more manageable over time as you focus on the most important alerts first .
The key takeaway from this is there is no end to tuning , but the longtail of tuning gets more and more manageable over time as you focus on the most important alerts first .
28 www . intelligentciso . com