Tuning your environment is the only way to ensure that you are not drowning in alerts and or some other form of notification. To help you optimize your tuning I suggest the following. Note these tips are not related to any one tool but can be used as general guidance.
1. Add enough intelligence to your tools during build out. Your cyber security tools may have the ability to injest vulnerability data, build out networks which are owned, identified and classify critical assets, etc. Take full advantage of these features where possible as the amount of planning you do upfront can have a significant impact on how much tuning, massaging and or time you will need to spend with your tool(s).
2. Never (unless absolutely needed) tune out an entire host.
Meaning, if host 10.0.0.1:5000 -> 10.0.0.2:22 generated an alert and you think it is false positive, then tune out (where possible) the source host and destination host/port. This ensure that the legitimate communication does not create unnecessary alerts, while allowing anything else to generate alerts for those hosts. It is important however to understand even by narrowing the tuning to the specific source host and destination host/port, there is still a risk that malicious content can be passed. However, the risk when compared to the number of alerts which may be generated has to be weighed. From my perspective, the tuning option is worth the risk
3. Disable unused rules for services which are not used
If there is not a specific service(s) running in your environment, then there should be no need expending resources looking for this type of traffic. Obviously, this will not always work for everyone. As someone may wish to identify when these services do come online. I believe there are better ways for looking for when unsupported services and or devices are brought online. As a result, I believe the risk here when disabling rules for unused services is pretty low, so I have no problem with disabling these rules.
4. Time is important
If you are aware that certain activities are legitimate from specific source and destination during certain hours, then ignore by tuning out those activities within those time window and focus on monitoring the activities outside of the time window. Examples of this would be where there are specific remote jobs such as backups, file transfers, service accounts being used, etc. Monitoring these activities outside of business hours, may help to shed more light on what else they may be used for other than their intended purposes.
5. Monitor what is important
Last but surely not least is monitoring what is important. Yeah we would like to monitor everything. However, the question I like to ask is will you action everything?! Most times the answer to that question will not be “no” but rather it will be “I can’t”. The fact that your tool(s) generate a “ton” of alerts only suggest that your tool is working, it does not say it is efficient. Make it efficient by only monitoring what is considered important.
Hope you enjoyed these 5 tips. Feel free to submit your comments with any suggestions you have that you think may be just as, less than or even more important.