You bought a static rule-based correlation and you want to get the most out of it, or are you planning on getting and deploying one? There are some simple steps you can take to maximize its efficiency.

Ask Yourself If You Can Really Afford In-house Real-Time Incident Management
The main use case for correlation is real-time incident management, so you need a 24x7x365 team of forensics experts to validate and follow-up on alerts - in real time.

No need to have real-time correlation if you only have a 9-5 operation...

If an alarm goes on at 3.a.m., do you have the skilled staff to act on it? If the answer is no, can you afford such a team? If you can't afford a 24x7 staff of experts, ask yourself if correlation is really the most appropriate effort for you.

In other words, is this the best way for you to go about buying security? Are there better ways to spend your budget to improve your security posture? Did you go through a Risk Management process to define your priorities?

If 24x7x365 coverage is indeed a priority, and you can't consider the cost of a full-time round the clock staff, consider a managed service offering - more and more companies are offering such a service - which could make sense in your situation.

Reduce the number of scenarios
Select a few simple scenarios that represent the nightmare to avoid and focus on these.

These scenarios will depend on your business, your industry, your processes, your internal culture... so they will vary from customer to customer, and will likely revolve around some security traumas that you went through in the past.

You got in big trouble and spent countless hours/days recovering from an attack where the bad guy did xxx; chances are you'll be tempted to use correlation to be alerted if this happens again.

Add to these a very select sample of the vendor's scenarios - not all of them as performance will likely crawl to a halt - and make sure you are comfortable managing these.

Put in place a process to periodically review the number of scenario, and throttle up or down depending on the bandwidth of your team in place.

Don't Go for Too Many Correlation Rules
Understand the tradeoff:

• The more fine grained the correlation rules, the closer you can get to reality, but the more expensive the operational cost of defining and constantly refining these rules
• The fewer coarse correlation rules, the lower the cost of managing this set of rules, but the more false positives (it rings when it shouldn't) and/or the false negatives (it doesn't catch the attack)

The temptation is to have lots and lots of rules, and this is fueled in part by those who play the numbers game. After all, it's already the case with anti-virus solutions, right? The more rules, the better the solution? Not always...

Keep in mind that even vendor-supplied rules are not bullet-proof. It's misleading to rely on 100s or even 1000s of "default out-of-the-box, plug and play, just switch it on and forget because it just works as-is and we know better than you what you need" rules; most of these will not apply to your environment and/or will need to be rethought and fine-tuned.

On the other hand, consider having fewer rules and being ready to validate more false positives by optimizing your false positive validation process.

More on this this next time.

• Why Rule-Based Log Correlation Is Almost a Good Idea...
• Why Rule-Based Log Correlation Is Almost a Good Idea... Part 4
• Conclusion: Why Rule-Based Log Correlation Is Almost a Good Idea...
• Maine Coon Cat Is Really The Most Wise Type
• Halloween Night Big Adventure Is Really The Most Charming Day