Presented at
BSidesSF 2017,
Feb. 12, 2017, 1:30 p.m.
(30 minutes).
Why can't this be easier? Writing good alerts and keeping them actionable is hard. Ask anyone on any security team, ever. Alerts are notoriously either too noisy or don't have enough coverage, and finding the sweet spot is nearly impossible. Additionally, some alerts are idly sitting there functionally incorrect and don't actually work as expected (when was the last time you tested some of yours?). To make matters worse, there is a general lack of industry standard for alert definitions, priorities, and incident response steps.
At Yelp, we have created tools and processes that enable the security team to keep a handle on our alerts, thus making the alerts actionable and maintainable. We do this by making sure we know which alerts are firing at what frequencies, having a run-book for writing new alerts, and utilizing self-service alerts whenever possible.
Certainly no alerting solution is perfect. However, by implementing some of these tools, we've effectively improved the signal-to-noise ratio for most of our important alerts. This in turn relieves the security team of tedious tasks and enables us to work on more important (and interesting!) things.
Presenters:
-
Daniel Popescu
- Security Engineer - Yelp
Daniel Popescu works at Yelp where he is responsible for security infrastructure and operations. Previously he worked at Microsoft on non-security products, but has maintained a passion for security since his undergrad years at the University of California, Santa Barbara. Professionally, his interests include automating manual tasks, building scalable distributed systems, and breaking things. In his spare time he enjoys surfing (in the ocean, not on the web ;-)).
Links:
Similar Presentations: