Dmitriy Sokolovskiy, Chief Information Security Officer, Avid Technology
“Similar to running tabletop exercises for incident response, run a table top brainstorming session about
the logs once a quarter or maybe twice a year.”
Detection is always a battle of false positives versus false negatives. If your detection mechanisms are too tight, you get too much noise. In my opinion, that’s more counterproductive than missing a real alert. Figuring out how tight you make your alerts is a challenge because most of today’s tools will generate an alert for almost everything except for rare zero days or maybe advanced adversaries.
Most of the time, you’re going to find what you’re looking for. The problem is finding it in the haystack of other things. You can use logs of all kinds for forensics and research. Similar to running tabletop exercises for incident response, run a tabletop brainstorming session about the logs once a quarter or
maybe twice a year.
Assemble people in a room or, because we’re not in a room these days, on a video conference. Begin by saying, “These are the things we’re collecting.” The goal is for people simply to ask, “Hey, what about this? What about that?” You’re trying to discover whether there’s something you know you can collect but you’re not because you simply didn’t think of it. Make sure that the coverage is as wide as it can be.
This is an excerpt from 7 Experts on Transforming Your Threat Detection & Response Strategy. This eBook was generously sponsored by Trustwave.