Ep04 - Security Blueline (Q&A) with “Dr Stu”

Welcome to the Outpost RBA Podcast; Securing the Frontiers of Enterprise. Will and Stuart host their first Call-in-style show to answer listener questions

Prioritizing in Philly asks, “Does anyone have any tips for prioritization of content…?”

• Start with where are you and what you have currently 

• Use data to drive the first rounds of detections, then shift to adsim/red team/external threat writeups for potential blindspots 

• Get data in, determine if it can b in a dm or queried directly, find detections for the type of data source 

• research.splunk.com is a web view of the detections in sse/escu and you can search by data model 

Migration in Memphis asks, “We have 100+ traditional detections and would like to migrate them to RBA. How should we attack this…?”

• Difference in the results from an rba detection vs. Traditional 

• Throttling and search window differences 

• Know when a 1-1 alert serves you better than an rba detection 

• Migration planning, can we combine and make more dynamic, is it still needed, does it work 

MITRE in Minneapolis asks, “Where should we look for sources of detections tagged to MITRE techniques in order to get 100% coverage?”

• The role of MITRE ATT&CK with detections 

• What does “covered” mean and the role of varients 

Send in your question or an audio recording of your question to the show to be answered on a future episode.