Thursday, July 3, 2014

Throw Out The Default Rule Set

Earlier this week, I published a piece in SecurityWeek entitled “Throw Out The Default Rule Set” (  The piece discusses the benefits of discarding the default rule set that is included with many alerting and SIEM technologies and taking a different approach entirely.  The approach described in the piece suggests identifying risks and threats to the business, and using those to build a set of use cases unique to the specific organization.  Those use cases can be used to build a rule set that is more adequately suited to the specific organization running it.  Ultimately, if done correctly, this approach can result in far fewer false positives, far less noise, and a much higher signal-to-noise ratio.  If this concept intrigues you, I’d urge you to have a look.

No comments:

Post a Comment