Reviewing examples of poorly created detections and their consequences
Detections are created to help fill a security gap, enforce a security policy, and align with a compliance standard, among other reasons. I’d like to say that every detection created is thought through carefully, modeled, and then created with optimization in mind, but that really isn’t the case. The reality is that many alerts are created as a reactive action, so in response to a type of incident or a failed control of an audit. Then, you put in the simplest form of detection and go from there. A lot of the time, you forget about it unless it’s overly noisy with false positives. The detections can have some true positives but usually cause more work than is necessary to weed through the alerts until you get to the point where you have to implement automation or tuning alerts.
The first detection that comes to my mind when I think of poorly created ones was done out of necessity and could...