The latest article in the series written by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. Stan’s three-part series covers the important incident response steps that many companies overlook. In this excerpt from the article, Stan describes the importance of understanding the baseline in your organization in order to better detect suspicious activity. To read the article in its entirety, head over to SecurityWeek.
In order to effectively detect anomalies, you need to know what “normal” looks like within your environment. While you might have gained a general sense of what constitutes ordinary network traffic during your preparation phase, you should still take the time to quantify it and ensure that this baseline is broadly understood across your security team for use in the response phase. Understanding your baseline makes it possible to tune your SIEM to generate less false positives over time and help your analysts catch more dangerous incidents. When setting your baseline, consider:
- What are the standard types and volumes of traffic in your environment?
- What is getting blocked by your firewall, and what is getting through?
- What are the standard IP locations for traffic leaving your network? Is it normal for traffic to go to China, or to the Middle East?
- Who is connecting to your system, and what are their normal patterns for activity? If someone from the accounting department logs in at 2:00 in the morning, is that a regular occurrence or is it cause for alarm?
This article originally appeared on SecurityWeek. To continue reading, please click here to access the article on SecurityWeek.