April 13, 2006

Filtering vs. Prioritization

Category: Security Information Management — Raffael Marty @ 1:09 pm

I was just emailing someone who suggested a thesis on the topic of filtering event streams to get rid of false positives. This is what I replied:

Filtering seems to be the obvious approach to take in order to get to the important events in an event stream.However, filtering is not really what you want to do. You can filter all day and you still end up with a lot of stuff that you have not filtered (e.g., new things will show up and you will have to filter again). Do the math: 1Mio events a day. Assum you come up with a lot of filters that filter out 500K events. You still have 500K events left. What you need to do is prioritization. You need to have those things that are important trickle up! You can still apply filtering after that, but prioritize first!

Here is a very important concept in SIM: Don’t spend processing time on unimportant things!


  1. “Don’t spend processing time on unimportant things! ”

    If only somebody told you what things are “unimportant” 🙂

    Comment by Anton Chuvakin — April 14, 2006 @ 12:45 pm

  2. I was not too precise when I sais “unimportant”. What I meant to say was that you should not spend processing time on things that you already know are unimportant.

    Comment by Raffy — April 14, 2006 @ 12:50 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .