Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
7 Tips To Improve 'Signal-to-Noise' In The SOC
Newest First  |  Oldest First  |  Threaded View
jg@npulsetech.com
[email protected],
User Rank: Apprentice
4/23/2014 | 9:58:54 AM
Re: Lowering the noise level -- gut feelings
Another excellent question Marilyn, thank you.  Gut feelings, or put another way, intuition, can certainly catalyze and inspire investigation and analysis.  Not every feeling or intuition is going to lead in a productive direction of course, and only experience can really help determine what may be a promising intuition vs. what may not be a good use of resources.  For example, it is reasonable to say "I don't think we have any legitimate business traffic to any .ce.ms domains."  Following this hypothesis, the organization should seek the ground truth that is contained in the data.  In my experience, what creates a dangerous feeling or intuition is when decisions are based solely on that feeling or intuition.  If decisions are made based upon investigation and analysis of the data catalyzed by those initial feelings or intuitions, then that can be a good thing in my opinion.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 9:45:40 AM
Re: Lowering the noise level -- gut feelings
Phrases like "this feels like it's less actionable" or "I think this is always a false positive" can be dangerous.

How do you quantify those "gut feelings." And is there no place for them in the SOC?
jg@npulsetech.com
[email protected],
User Rank: Apprentice
4/22/2014 | 2:07:52 PM
Re: Lowering the noise level
Excellent question, Marilyn, and thank you.  In my experience, organizations too often take an "all or nothing" approach to managing the noise level.  For example, an organization may say "we get too many alerts from source X, so we are just going to ignore or turn off all alerts from source X."  I think a better approach would be "let's think about what business, operational, and security needs we can address through alerts from source X and tune source X delicately to address those needs."  Additionally, organizations will sometimes emote or intuit noise reduction.  Phrases like "this feels like it's less actionable" or "I think this is always a false positive" can be dangerous.  The best source for educated decisions is the data.  The data do not lie and form the basis for good security decision making (and the tips provided in the article of course).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/22/2014 | 12:43:17 PM
Lowering the noise level
Thanks for sharing you wisdom with the Dark Reading community Joshua. In your experience, what do you think are the biggest mistakes SOCs make in loweirng the noise level?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-22497
PUBLISHED: 2022-05-24
IBM Aspera Faspex 4.4.1 and 5.0.0 could allow unauthorized access due to an incorrectly computed security token. IBM X-Force ID: 226951.
CVE-2022-29334
PUBLISHED: 2022-05-24
An issue in H v1.0 allows attackers to bypass authentication via a session replay attack.
CVE-2022-29337
PUBLISHED: 2022-05-24
C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP request.
CVE-2022-29333
PUBLISHED: 2022-05-24
A vulnerability in CyberLink Power Director v14 allows attackers to escalate privileges via a crafted .exe file.
CVE-2021-3597
PUBLISHED: 2022-05-24
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1,...