Under the hood, these are large, highly sophisticated correlation engines sifting through vast amounts of data in order to generate intelligence (alarms) that someone somewhere inside the NOC or SOC has to deal with.

The problem with any system based on statistical correlation is that it is non-deterministic. As with any system that's not fact-based, there's a risk that it can generate false positives. While many of the alarms are black-and-white and the remediation process is very straightforward, there's also a lot of gray involved in the process and where there's gray there's risk.

Engineers can't just ignore or dismiss alarms, they are required to act -- either to acknowledge and dismiss or engage and react. In many instances, the act of remediation is very straightforward and has no impact on anyone (a simple firewall rule change perhaps), but in certain instances the act can be significant and impact a lot of people.

If you're about to take the CEO's videoconference down because of a suspected , then you'll want to be certain you have your facts straight before you hit the button. But how do you get that assurance? Well, there's really only one option: Analyze the actual packets associated with the event before you act.

A comprehensive network recording strategy is the practical answer here, and large organizations are starting to deploy network recording infrastructure to complement their net management and SIEM investments.