Security information and event management (SIEM) technologies have been used for years to detect threats and to address compliance requirements for organizations. Many traditional SIEM tools’ detection methodologies are primarily based on correlation rules that look for known attacks at the points of entry. Such rules become increasingly ineffective as attacks become more complex, longer lasting, or more distributed. Newer SIEM tools are behavior and context aware, and models are used to track user behaviors, enabling the effective detection of unknown threats and complex attack chains.
Download this paper to learn about:
- The distinction between rules and models
- Use cases for correlation rules and models
- Pros and cons of using correlation rules and models, and how to choose between the two methods
- Design considerations for correlation rules and models
Read now!
