-
Notifications
You must be signed in to change notification settings - Fork 159
The Matrix
The scoring piece of FIDO is where customization can be done to fit each companies needs. Scoring is broken down as follows:
- Threat Feeds
- Other Detectors
- Historical Information
- User/Machine Previous Alerted
- Machine Posture
- User Posture
- Asset Value
The customizations done in the scoring engine are entirely dependent on the environment and resources available where FIDO runs. Each of the categories above should be considered a silo that is scored separately and then aggregated into the machine, user, threat and total score. If you think about it from a top-down point of view, each silo is assigned a weight as to how much percentage it will make up of the score for machine/user/threat and total scores. Then inside of each silo returns are scored and could be additionally weighted. Please use the following image as an example of this.
Therefore, if you're a PCI affected company, then you might weight asset value to give it the ability to weight more into the score for systems triggering alerts in a PCI affected zone. Likewise, if you have multiple threat feeds available to you, then you might weight the data provided by them higher.
On to the next step... Enforcement.