Over the past year or so, I’ve made the mistake of subscribing to too many email updates (newsletters, announcements, etc.)
The result? I get too many things in my inbox, and have trouble focusing on the messages that contain value or require action. In essence, I am obscuring the important things by overwhelming them with the mundane.
The same problem happens in security – we add more and more products to our world, spewing ever more events, alerts, and other kinds of data at us. The same results happen – we obscure the important things by overwhelming them with the mundane.
I believe one of the problems is we focus too much on the “in our face” security events in front of us, without paying enough attention to the results of those activities. That’s why I am a big believer in evaluating events together with state changes in the infrastructure, as a powerful way to filter the list down to what’s most important. By doing this, you can narrow your focus to concentrate first on the suspicious events that lead to suspicious result.