To Minimize Noise, You Need To Select The Right Tools
- No matter how good the security is and how great the team is that manages it, they can never react as quickly as technology to malicious activity.
- One important criterion for any automated solution is whether the security team has the skills and time to tune it. If they can’t tune it they won’t see the value.
“You need to correlate information so you can reduce the white noise.”
When he worked as a security operations center (SOC) manager for a major retailer some years ago, Brian Bobo would see one billion events per day. “Those were raw events,” he says, “so 99.9 percent of them were nothing.” That may seem like a lot of events, but the managed security services provider he now uses to filter level 1 and level 2 events sees 245 billion events per day across all its customers. If 99.9 percent of those are insignificant, that means 0.1 percent, or 245 million events per day, could be substantial. Bobo uses this example to illustrate the essential role automation plays in today’s security practice. There are not enough people on Earth to rationally choose the 0.1 percent of events that require a closer look, let alone analyze them.