Fingerpointing False Positives: How to better integrate Continuous Improvement into Security Monitoring
2019-10-22, 10:50–11:10, Europe

This talk is about how you can make your Security Operation Center more efficient and give your bored-out analysts more purpose, by making a small change to your security monitoring process. With a potential huge change in your workflow, and improved results.


The talk addresses the security monitoring resolution categories I created and documented in my taxonomy paper https://github.com/d3sre/Use_Case_Applicability. When working as an analyst in a Security Operation Center, most likely some duty will include security monitoring, depending on predefined use cases. Those use cases hopefully cover the relevant MITRE ATT&CK techniques, will most likely also cover more regulatory controls like the NIST 800-53 controls, but most definitely there will be false positives more than you like. The resolution categories help in refocusing the attention of the analyst to the "actual" cause of the alert. By tracking this in a seperate taxonomy, reports and statistics can point to company internal process problems or otherwise reflect the efficiency of the SOC. This is especially important when a SOC can't directly control all the configurations of it's log submitting devices.
The talk will present the categories, the idea and goal behind this suggested solution and show ways on how reports can afterwards be interpreted.