There is a famous Brazilian allegory/legend attributed to one of the best soccer players this world has even seen, Mané Garrincha.

It is said that during a training session right before a match against the USSR for 1958 World Cup, Mané had been instructed to "move past one defender, wait for the central defender to come to cover him, and then cross the ball to Vavá [another Brazilian striker]". The legend says Garrincha replied, "OK, but does anyone know if the Russians agreed on all that?"

I believe many SOCs have been working like that, as they tune and trim down their detections to keep false positives and the number of alerts to be investigated to a manageable level. All the tuning and noise cancelation would be amazing, only if they would also ensure the threat actors would behave as expected :-)

[BTW, There is a huge irony here in the fact that we've been dealing with many Russian origin threat actors these days]

We cannot try to agree on what to detect and alert with the threat actors. If we exaggerate on tuning out noise, they will adapt their ways to make it look like the "noise" we chose to ignore.

Tuning excessive noise is ok, but there are many organizations tuning out too much, leaving out real threat activity, just because they can't handle all the alerts generated by good detection content.

They need more alert investigation capacity. That's one of the reasons why I joined Prophet Security. We are now able to produce systems smart enough to do most of this investigation work for us. The new SOC is not your grandma's SOC. It's not even your SOC from a couple of years ago.

This is a transformative moment to the SOC, and I'm very excited to be part of it. We don't need to align with the Russians :-)