The conversation about the ways to make threat detection more effective the daily bread of Security Operations Centers (SOCs)—goes back to the dawn of the internet. Is it better to identify badness by signatures or through profiling? Automation is the most common way to scale, but is it as effective at finding malicious acts as a manual investigation by specialists?
There are too many tools and, over the years, numerous attempts to consolidate visibility into a “single pane of glass” have failed. The late 1980s witnessed the first prototypes of anomaly-based intrusion detection; the 1990s—the first automation of response. Then the first SIEM (Security Information and Event Management) products born in the late 90s loudly promised to solve Intrusion Detection System (IDS) alert overload and the dreaded “false positives.”