You’ve started monitoring your tools only to find thousands of alerts. Don’t give up! Keep reading, there’s an easy solution. One of the most common struggles for blue teams and security professionals is dealing with alerts, especially if you are new to the field of cybersecurity monitoring.
Firewalls, SIEM, Web Application Firewalls (WAF), and many other tools will generate a plethora of security alerts.
→ What about those 1000 non-blocked or detected threats in your firewall?
→ And those 30000 Windows alerts?
Best practices require you to perform risk analysis, prioritize assets and identify use cases. While being valid, these won’t yield immediate benefits and require research.
❌
The result?
You get stuck, friction with stakeholders increases, and then the company drops its blue team efforts altogether.
🔑
The key to overcoming this challenge is knowing where to focus and your immediate next steps.
✅
The Pareto principle, also known as the 80/20 rule is how you solve this: 80% of outcomes result from 20% of all causes for any given event.
This principle is easy to apply to any case and iterate.
Here’s a quick example:
80% of 30000 non-blocked alerts in the firewall may be caused by a small number of hosts in your network or by a few IDS signatures.
Once you recognize these, focus on identifying the root cause and that’s it: You have significantly decreased the number of alerts. Now focus on the next 80%.
