The AT&T Cybersecurity Alien Labs team is in charge of writing correlation rules and releasing threat intelligence updates on a day-to-day basis. When researchers in the team find new malware families or threats, we always try to find the best approach to keep our customers protected. In this blog, we will look into some of the differences between signatures and correlation rules.
Signatures are the values (sequence of bytes, string patterns, etc.) that security products use to detect known malicious behavior. For example: Snort/Suricata rules, antivirus signatures and YARA rules.
On the other hand, correlation is the processing of the event stream in order to identify important events or patterns of events within large volumes of data. The logic to identify these events is defined in a correlation rule.
Benefits of correlation rules:
Correlation rules are based on behavior and not on specific indicators, this makes them…
 |
Posted by: Javier Ruiz |
The post Why should you use correlation rules on top of traditional signatures? appeared first on Cybersecurity Insiders.
February 04, 2020 at 09:09PM
0 comments:
Post a Comment