Expecting number of Incidents/Alerts from 20,000 EPS?
I have a question here:
Assume ArcSight has been deployed for a banking infrastructure and 20,000 EPS are generated. Out of 20,000 EPS, how many alerts/ incidents can be expected ?
I know that we have dependancies such as, what we need to monitor and considering the number of devices like firewall, ids/ips, switch, router and application, internal and database logs, then criticality of the network, based on rules and host based rules and correlation based rules.
But, can we derive for an approximate count on the number of alerts possible to get triggred ? Or Do we have any sort of formula to get the information ?
Please share your thoughts.
the answer is quite easy, it depends on your use cases (content) and the devices you have conected, that said the answer isn't easy anymore.
If everything is clean you don't get any incident out of your data feed however if you have strikt use cases and requirements you may get a lot.
Ideally as mentioned above it really depends on what devices are integrated and what use cases are deployed.
Specially in a banking environment; policies and procedures are well defined and appropriate Access controls, SOD's are in place.
Generally it should be 10 - 20 alerts should be triggering which will also not be real security incident; it would be corporate IT policy violation, operations, data usage or other types of alerts which are also mandate requirement for different compliance standards.
I hope this helps.
Well, There is some formula which vendors like HP and IBM claim about. but that isn't reality.
In reality it depends how you handle the system and how well the policies are defined and enforced.
Such formula is complete BS. Disable all rules and you will get zero alerts. Create a rule with a "true" condition and you will get 20,000 alerts per second. Actually you will get just few dozen of alerts initially and the rule will be disabled automatically, but you got an idea
Hi Kartheepan, I suggest you to consider that at the beginning of the implementation you will have many many alerts that you will have to tune until you have low false positives. Also consider if the number of alerts can be actually handled real time by the resources available in your SOC.
Not two customer are the same. In some customers we have the same rules processing almost the same EPS from same devices but the number of generated incidents by the rules is completely different.