What are the most effective strategies for detecting advanced persistent threats (APTs) in a large, decentralized network, and how do you balance false positives and false negatives in your detection algorithms?

Threat intelligence helps inform APTs relevant to your region, sector and organisation enabling you to understand relevant TPPs and priorities for detection, threat hunting and preventative controls. 

To minimise false positives focus on critical assets and understand normal behaviour. AI/ML enable anomaly detection at scale. 

Threat hunting is an active information security process and strategy used by security analysts. It consists of searching iteratively through network, cloud, and endpoint system logs to detect indicators of compromise (IoCs); threat actor tactics, techniques, and procedures (TTPs); and threats such as advanced persistent threats (APTs) that are evading your existing security system. 

Tools include:
-End Detection and Response (EDR): Is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.

-Network-based Intrusion Detection System (NIDS): Helps monitor cloud, on-premise and hybrid environments for suspicious events leading to a compromise.

-Host-based Intrusion Detection System (HIDS): Is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates.

I recommend using advanced technologies such as behavior-based analysis, monitoring (SIEM, EDR, Network Traffic Analysis) and utilizing threat intelligence to stay updated with the latest security news.

Additionally, it's important to have well-defined policies and procedures in place. This includes determining approved software and hardware and establishing standard procedures. Doing so will help reduce the number of false positives. A change management policy will help identify changes in the environment and differences in abnormal change.