Tuning your environment is the only way to ensure that you
are not drowning in alerts and or some other form of notification. To help you optimize your tuning I suggest the
following. Note these tips are not
related to any one tool but can be used as general guidance.
1.
Add enough intelligence to your tools during
build out. Your cyber security tools may have the ability to injest
vulnerability data, build out networks which are owned, identified and classify
critical assets, etc. Take full advantage of these features where possible as
the amount of planning you do upfront can have a significant impact on how much
tuning, massaging and or time you will need to spend with your tool(s).
2.
Never (unless absolutely needed) tune out an
entire host.
Meaning, if host 10.0.0.1:5000 ->
10.0.0.2:22 generated an alert and you think it is false positive, then tune
out (where possible) the source host and destination host/port. This ensure
that the legitimate communication does not create unnecessary alerts, while
allowing anything else to generate alerts for those hosts. It is important
however to understand even by narrowing the tuning to the specific source host
and destination host/port, there is still a risk that malicious content can be
passed. However, the risk when compared to the number of alerts which may be
generated has to be weighed. From my perspective, the tuning option is worth
the risk
3.
Disable unused rules for services which are not
used
If there is not a specific service(s) running
in your environment, then there should be no need expending resources looking
for this type of traffic. Obviously, this will not always work for everyone. As
someone may wish to identify when these services do come online. I believe
there are better ways for looking for when unsupported services and or devices
are brought online. As a result, I believe the risk here when disabling rules
for unused services is pretty low, so I have no problem with disabling these
rules.
4.
Time is important
If you are aware that certain activities
are legitimate from specific source and destination during certain hours, then
ignore by tuning out those activities within those time window and focus on
monitoring the activities outside of the time window. Examples of this would be where there are
specific remote jobs such as backups, file transfers, service accounts being
used, etc. Monitoring these activities outside of business hours, may help to
shed more light on what else they may be used for other than their intended purposes.
5.
Monitor what is important
Last but surely not least is monitoring
what is important. Yeah we would like to monitor everything. However, the
question I like to ask is will you action everything?! Most times the answer to
that question will not be “no” but rather it will be “I can’t”. The fact that
your tool(s) generate a “ton” of alerts only suggest that your tool is working,
it does not say it is efficient. Make it efficient by only monitoring what is
considered important.
Hope you enjoyed these 5 tips. Feel free to
submit your comments with any suggestions you have that you think may be just
as, less than or even more important.
A debt of gratitude is in order for the blog stacked with such a variety of data. Ceasing by your blog helped me to get what I was searching for.
ReplyDeletesiber güvenlik