Maybe you've heard this phrase, maybe you haven't... but what it refers to is a fairly common problem: What is the correct number of alerts to review daily? What is important to deep dive from a security event perspective, versus what is a false positive?
The answers to those questions are not absolute. There isn't a physics lesson that covers the ideal number of threat events to be reviewing daily, or the correct number of alerts to configure for your security technology. Yet they are key to successful business practices. The importance of correctly configuring your security environment for YOUR needs, versus the the out of the box settings is necessary.
So, as one security engineer to another, how many hours a day do you want to look at security logs? What tools do you have to do some of that parsing for you? If your business requires you to actively monitor for security risks, the question becomes how are you tracking it all, and not being overwhelmed? Do you have an EDR / MDR / XDR solution that actually handles security events that occur when you aren't around?
This brings us to London Security and how we handle Analysis Paralysis.
1) We build out policies that give us actionable information. Whatever the technology, we build out a policy framework that will provide actionable intelligence, rather than tons of false positives
2) Acknowledge our limitations. If we don't have overnight coverage, look at solutions such as Blackpoint Cyber in order to make sure that we have coverage during those hours if we need it.
3) Constantly evaluate our security situation in order to verify we have the best deployment, best technologies, and review what we can do to improve the security posture of the organization.
Right now, London Security Solutions is registering people for a Ransomware Risk Assessment, if you want to see what your risk is - please use the call to action button below.