There is a common tug-of-war between SOC staff, detection engineers and CSIRT/DFIR professionals when determining how important or severe an alert or detection is. Detection engineers are continually pushed to find new and creative ways of catching threat actors, whereas SOC and CSIRT staff are on the receiving end of triaging alerts and actioning them. Increasing your number of detections may seem sensible from a metrics perspective, however, it directly increases alert fatigue on SOC staff. How do we strike a balance between ensuring we have creative detections and not flooding our SOC and CSIRT staff with alerts that provide little value to preventing a threat actor from freely moving around an organization's network?
This talk will look at a new way of prioritizing and classifying alerts from the perspective of defending an organization and speeding up the response to threat actors. If we take a different approach to assessing how useful detections are, we can help a SOC to prevent a threat actor from achieving their Actions on Objectives. With this new approach, we can also provide better guidance to detection engineers on alerts that are more likely to catch threat actors and not catch the admin team running an update script.
