One of Ben Johnson’s recent video blogs was about the perils of dashboarding.
Now, I admit, I am a visual person and not a list/numbers/bullets or red/yellow/green guy. I want my scatter plots! I want my heartbeats! But I know what Ben is talking about.
Dashboards can lull you to sleep. They can make you think everything is OK, at least maybe for today. But guess what? It’s never really entirely OK. Not for SOC folks in the trenches, at least.
Right now the SOC folks have 10 big, actionable items in their queue, and probably eight of them are going to turn out to be false positives. Every single day they have battles to fight, even if that battle is just a false alarm. And that’s a good thing, because taking the high-priority items that last artful mile is often the difference between being secure and getting breached.
Hiding 100 or 1,000 false positives is generally OK, if that’s for just one day and you’ve got just one FTE. But the techniques that would hide those last eight out of 10 are the same ones that will mask the two true positives. We cannot afford to let those two get past us. We don’t want to make the SOC team’s jobs go away; we want to give them the tools to do things right.
Focus on using products that help you:
- Focus on the right areas so you can triage and prioritize efficiently
- Aggregate and summarize information
- Display information in a way that is useful to you
- Use UI tools and programing interfaces that let you customize the display to your way of thinking and acting
Do not focus on using products that:
- Try to obviate or avoid the necessity for triage
- Throw away context, or make it hard for you to drill down to context
- Claim they can solve all your security problems with a dashboard