Recent high profile incidents have reminded me of this position paper I wrote back in 2001:
During a recent DARPA teleconference, many of the problems PACOM intrusion detection analysts face were described. Two related and critical problems are operator overload and the large number of false alarms that their sensors generate. I have heard of similar problems with analysts working with ASIM deployments, and these problems are cited by many DARPA program managers to motivate the development of new technologies. However, I believe a significant portion of the problem can be addressed with the little or no new technology. This paper makes several recommendations that should be considered, and I hope it serves as the beginning of a dialogue on these issues.
For example, vulnerability scanners using various techniques have been around for two decades (anyone remember Dan Farmer and Wietse Venema's SATAN?). You should be using one. And (1) if you have a known vulnerability (especially in an Internet facing system), and (2) there is a known exploit against it, and (3) there are reports of the exploit in the wild, patching that system should be a priority. None of this is rocket science. There are lists and feeds for these things.
My entire career has been based on developing new cyber security technologies and products, and I would love to sell everyone the latest & greatest tech. But first, any potential user or customer should take care of many of the basic (and often cheap or free) things. As I wrote in that 2001 paper:
Second, as creators of new technologies, we would like to see our technology deployed in an environment that shows it in the best possible light. Deploying our technology in an unprepared environment may exacerbate existing problems (e.g., contributing to information overload) and can be very embarrassing. Thus, in our own self-interest (or perhaps just to protect our professional pride), we should at least examine the overall environment and how to best prepare it before introducing DARPA funded technology.
(And today I learned Neil Gaiman drew the artwork for the SATAN documentation. How cool is that?!)