This article is similar to my previous post but the author asks a few relevant questions.
In the article:-
Some questions to consider when evaluating tools used in incident response include:
- Do you have a way, when an event fires, to get more context in order to determine whether or not that event is real and deserves further investigation?
- How expensive is it to obtain that context? Do you have to go out and look at the potentially infected computer, or do you have telemetry flowing back from that computer into a system that is accessible to the SOC that they can investigate?
- If you have telemetry, what kind? Is it system-level telemetry that can be manipulated post breach, or is it network-level telemetry that is hard to manipulate?
- How close to the source are you collecting telemetry – are you capturing everything that infected host is doing or just its communications out to the Internet?
The links below has more information:
http://www.lancope.com/blog/when-an-alarm-isnt
No comments:
Post a Comment