The current threat landscape demands a new approach to detection systems, relying on the traditional complexity to fine-tuning initial rules, thresholds, baselines and still deal with lots of false positives is becoming unacceptable for many organizations. When preparing to defend against attackers, the Blue Team must leverage a series of techniques that include:

• Data correlation from multiple data sources
• Profiling
• Behavior analytics
• Anomaly detection
• Activity evaluation
• Machine learning

It is important to emphasize that some of the traditional security controls, such as protocol analysis and signature-based antimalware, still have their space in the line of defense, but to combat legacy threats. You shouldn't uninstall your anti-malware software just because it doesn't have machine learning capability, it is still one level of protection to your host. Remember the defense in depth approach that we discussed in the last chapter? Think of this protection as one layer of defense, and now you need to aggregate the other layers to enhance your security posture.

On the other hand, the traditional defender mindset that focuses on monitoring only high profile users is over and you can't have this approach anymore. Current threat detections must look across all user accounts, profile them, and understand their normal behavior. Current threat actors will be looking to compromise the regular user, stay dormant in the network, continue the invasion by moving laterally, and escalate privileges. For this reason, the Blue Team must have detection mechanisms in place that can identify these behaviors across all devices, locations, and raise alerts based on the Data Correlation, as shown in the following diagram:

When you contextualize the data, you naturally reduce the amount of false positives, and give a more meaningful result to the investigator.