Reducing Inactionable Alerts via Policy Layer

Explore strategies for minimizing false positives and inactionable alerts in security systems through a conference talk from BSidesLV 2019. Delve into key concepts including whitelists, policy layers, and generalized ability as presented by John Seymour. Learn how to implement a separate policy layer to enhance alert management and improve overall security effectiveness. Examine the potential trade-offs of this approach and discuss potential improvements. Gain insights into integrating these techniques into existing security infrastructures and understand their impact on alert reduction. Conclude with a Q&A session to address specific implementation concerns and further clarify the presented concepts.

Introduction
Definitions
Examples
Whitelists
Separate Policy Layer
Generalized Ability
Integration
What we lose
Improvements
Questions