Versions Compared

Old Version 7

changes.mady.by.user George Vetticaden

Saved on

compared with

New Version 8

changes.mady.by.user George Vetticaden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IdentifierQuestion
Q1What are key challenges and limitations of the current SIEM and security analytics tools that you use today?
Q2

How would you prioritize the challenges today with the existing security tooling you use:

  • To many alerts. There are no prioritization of alerts or the prioritization's/risk based alerts that are in use are not accurate or helpful to help me identify on what to focus on.
  • There are too many tools that I need to learn
  • I don't have a centralized view of my data
  • Most of my alerts are false positive
  • Managing static rules are too cumbersome. 
  • I have too many manual tasks. 
  • I cannot ingest and store all security/telemetry data based on cost. 
  • I need to discover bad stuff quicker
  • Other
Q3In your day to day activities, what types of data sources(logs, pcap, ldap user info, netflow, bro etc..) do you work with the most?
Q4Are there data sources that your current tools don't support that if did have access to it, it would allow you to do your job more effectively?
Q5What types of automated and real-time enrichment would you like to see on the raw data that would allow you to do your job more effectively?
Q6

What third party intel feeds do you find most valuable that lead to credible threats?

Q7What third party intel feeds are you not using that you would like the platform to provide?
Q8

What elements of your data are you not getting the adequate threat intel feeds for?

Q9

Please provide a redacted dump of common correlation rules that you use the most? (e.g: if you see ip from geo-region A with domain that was registered in the last 3 days, then alert), 30 failed logged attempts in the last 30 minutes..).

Q10

What are other actions you would like to perform on the data in real-time (outside of enrichment, cross reference of intel feeds)?

Q11If the analytics tool only provided a single panel, what will be critical things you want to see?
Q12What are 3 of the most important KPIs (metrics, Key Performance Indicators) that you would like see on that single panel?
Q13

What deails would you expect an alert to contain?

Q14

Which way of filtering/search for events would be your preferred one?

  • I want to write a query to find what I'm looking for
  • I prefer clicking with my mouse to select/deselect types of data I want to find
  • A and B
  • Other

 

Running List of Questions for the Survey/Questionnaire for

...

CISO Audience

IdentifierQuestion
Q1

What specific use cases and cyber security domain problems are you trying to solve with Metron?

Q2

How would you prioritize, in terms of importance, the use cases and challenges below that the SOC is tasked to solve:

  • Malware Detection & Lateral Movement
  • Suspicious Behavior: User, Device, & Application
  • Fraud Detection
  • Account Hijacking & Privileged Account Abuse
  • IP Theft & Data Exfiltration
  • Virtual Container & Cloud Asset Compromise

 

Action Items: Group use cases by industry...

Q3What are key challenges and limitations of the current SIEM and security analytics tools that you use today?
Q4

How would you prioritize the challenges today with the existing security tooling you use:

  • To many alerts. There are no prioritization of alerts or the prioritization's/risk based alerts that are in use are not accurate or helpful to help me identify on what to focus on.
  • There are too many tools that I need to learn
  • I don't have a centralized view of my data
  • Most of my alerts are false positive
  • Managing static rules are too cumbersome. 
  • I have too many manual tasks. 
  • I cannot ingest and store all security/telemetry data based on cost. 
  • I need to discover bad stuff quicker
  • Other

 

Q5

How would you rate your SOC’s data science and analytical capabilities today?

Q6

Does your SOC have any plans to enhance its data science and analytical capabilities now or in the future?

Q7

What data retention capabilities do you require Metron to support?

Q8

What compliance regimes, if any, does your SOC tools and capabilities need to comply with to support the needs of your business?

Q9

What type of enrichment would you like to do to the security telemetry data? (e.g: Geo, Whois)

Q10What type of enrichment capabilities does your current security tooling NOT provide? Is enrichment of the data in real-time a critical requirement? Is storing the enriched and raw data a critical requirement?
Q11

What are the different threat intel feeds you subscribe to (public, private, tec..)? Which vendor do you get the feed from and what is the format. Supporting an out of the box threat intel feed means the following supporting parsers for the intel feed to persist the feed store in normalized form.

Q12What are critical requirements for threat intel feed integration with Metron? For example, is cross referencing your threat intel feeds against the original and enriched telemetry data a critical requirement?
Q13What are the critical functions you would like to perform on the streaming security telemetry data as its coming in real-time in as opposed to after it lands?
Q14Do you envision Metron replacing your SIEM solution or complimenting it?

...