In the previous chapter, we focused on the need to centralize security data and to cross-reference information coming from multiple sources. We also demonstrated that this was a particularly difficult task! In this chapter, we have looked at some key indicators, particularly the use of DNS and HTTP data, which is less likely to change than file signatures.

We have also looked at the difference between deterministic analysis (100% assurance based on confirmed evidence) and probabilistic analysis (<100% assurance based on likely interpretations of available but incomplete evidence). When the reasons for certain activity is not immediately clear, or even definitive in retrospect, operators must consider the severity (best/worst case) along with the frequency (most/least likely) of those threats in combination to determine the risk.

The Firepower Management Center is equipped with a feature that allows organization defined correlation rules to prioritize alerts based on multiple sources of data. Applying too many, overly granular rules can affect the performance of the system as a whole, so correlation rules must be chosen carefully and reviewed periodically to ensure they work with the organization's business priorities.