Edge Articles

Define Your Use Case

The most important thing companies can do is spend time understanding the problem, Digital Shadows' Gold says. If you're using an intrusion detection system (IDS), for example, and seeing a ton of alerts, you need to investigate what in your environment could be causing so many false positives? What does a true positive look like compared with a false positive? What is a real threat?

To lessen the flow of alerts, security teams should have use cases for detections, he continues. What are your greatest worries? If you fear credit card data exiting the environment, you can use the IDS to put rules in place for the specific thing you fear.

Detection use cases should represent what your business is concerned about, says Gold. High-fidelity use cases very tightly define your priorities. "You don't want to say, 'I'm concerned about any data leaving the organization,'" he explains. "You want to say, 'I'm concerned about data that looks like this.'"

Adds LastLine's Henderson: "You need to take a step back and spend some time thinking about exactly what it is you're trying to protect. Are you just checking a box? Are you checking a list against some regulation, or rule, or vertical body that says we have to?" If so, you're not checking the right thing, he says. Step back and consider all of your data – do you know where it is?

Before you can trust an alert, you have to know your data, says ReliaQuest CEO Brian Murphy. Security teams should "leverage automation only after they can trust the data they're automating," he explains, emphasizing the importance of analyzing accurate information.

(Image: Pathdoc - stock.adobe.com)

2 of 8