what, when, where, why, and how. Regularly practicing these challenges not only familiarizes  the team
            with the network but also helps keep them calm and confident in the face of a true incident.



            Alert Effectiveness

            There are many articles discussing analyst burnout or false positive churn, leading most of us to believe
            it is inevitable. This certainty has fostered a culture of “burn and churn,” where we inadvertently devalue
            our newest employees in the name of giving them a “foot in the door.” Regrettably, the expectation that
            they will leave in a year or so also often leads security leaders to neglect investing in their employees.

            This  process  becomes  endemic,  and  the effectiveness  of the  SOC becomes  stagnant  and  subject  to
            regression. The last line of defense is when an attacker gains access to YOUR network, and it is staffed
            with untrained, burnt-out, tier-one analysts. No wonder so many have decided to outsource to managed
            services.  Unfortunately,  that  is  not  always  a  remedy,  as  most  managed  shops  suffer  from  the  same
            challenges.

            So, how do we get out of this deep rut? The answer lies in alerting effectiveness.
























            Common  tuning  methods  require  that  we  stomach  a  large  load  of  false  positives  in  order  to  never
            accidentally  get  a false  negative.  The  false  positive  load  does  more  damage  than  good,  causing  our
            analysts to become “snow blind” and miss the real events as they pass. We essentially move the problem
            from the technology side to the human side. Since humans are not good at processing large amounts of
            data,  we are setting  them and  ourselves  up for disappointment,  failure, and  quite possibly  setting  our
            companies up for material impact from a cyber event.

            Any  good  engine  must  be  tuned,  and  that  tuning  requires  checkups  to  ensure  effective  and  efficient
            operation; our operations software is no different. Tuning can and should be done to mold the alert system
            to the environment. Train the alerts to know their environment, and the operations team will catch more.
            The more we tune into our infrastructure, the better the results.







            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          97
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.