Security operations centers, or SOCs, are a core defensive component for organizations. Quickly processing alerts can give a clue if an organization is under attack. But the volume and quality of alerts can greatly vary depending on how well the detection rules have been written. Some rules may return too many low-quality alerts, which can distract analysts from more important ones. Luca Allodi and Koen Teuwen of Eindhoven University of Technology co-authored a recent academic study that examines how to write lower-noise rules for intrusion detection systems (IDSs). The researchers developed six design principles for rule writing that balance specificity with coverage. The aim is to help analysts make better sense of what’s going on in their networks. The research also resulted in the development of a command-line tool, suricata-check, which gives feedback on how a rule written for the Suricata open-source IDS can be improved.
Participants:
Luca Allodi, Associate Professor and head of the Threat Analysis group within the Security Cluster of the Eindhoven University of Technology
Koen Teuwen, PhD Candidate at Eindhoven University of Technology
Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471
