I'm a soc analyst and I've been tasked with reporting on the alerts our soc team is receiving.
Our infosec team has an app called varonis which has all these monitoring rules in place.
I'm doing a 90 day audit of the alerts that come from this app. We've gotten ~2000 alerts in 90 days and not a single one seems to have been a real attack unless we just suck and are currently pwned.
One specific monitoring rule is "system administrator tool accessed"
These tools have been Wireshark, psexec, putty, winscp. All normal tools our admins use and each alert came from an admin account during incidents and maintenance windows. Also get alerts on AD accounts being disabled. This has all been offboarding employees. Nothing malicious.
So in our context, these weren't true positives. But they can still be a potential IOC if someone hacked our company and ran any of these apps.
So what do you do in that situation? Do you let the soc team suffer alarm fatigue? Do you whitelist the apps and accept the risk of an attacker using them and not getting detected? Do you whitelist the admin accounts and accept the risk of not detecting these admin accounts in the event they get compromised? Do you suppress the alarm entirely and accept the risk that you may miss a true positive since all 2000 of the existing alarms in the last 90 days haven't led to anything? submitted by /u/whatamidoinghere009
[link] [comments]
http://dlvr.it/Syvfy5
Post Page Advertisement [Top]
Subscribe to:
Post Comments (Atom)
';
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
No comments:
Post a Comment