SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThere is a common tug-of-war between SOC staff, detection engineers and CSIRT/DFIR professionals when determining how important or severe an alert or detection is. Detection engineers are continually pushed to find new and creative ways of catching threat actors, whereas SOC and CSIRT staff are on the receiving end of triaging alerts and actioning them. Increasing your number of detections may seem sensible from a metrics perspective, however, it directly increases alert fatigue on SOC staff. How do we strike a balance between ensuring we have creative detections and not flooding our SOC and CSIRT staff with alerts that provide little value to preventing a threat actor from freely moving around an organization's network?
This talk will look at a new way of prioritizing and classifying alerts from the perspective of defending an organization and speeding up the response to threat actors. If we take a different approach to assessing how useful detections are, we can help a SOC to prevent a threat actor from achieving their Actions on Objectives. With this new approach, we can also provide better guidance to detection engineers on alerts that are more likely to catch threat actors and not catch the admin team running an update script.
Josh leads global MDR at Uptycs, defending major international brands, while also serving as an independent DFIR expert advising legal, government, and commercial clients in Australia.
Read more about Josh Lemon