Alert fatigue, uncertain prioritisation, weak investigative precision, poor solution remediation, recurring issues.
The significant increase in cyber activity, coupled with the ongoing adherence to a strict “detect->investigate->respond” workflow has resulted in an unmanageable multitude of alerts. When faced by this daily avalanche, security teams get into gear and rush to some form of prioritisation before initiating further investigation. After some further effort, a course of action is identified and (hopefully) implemented.
Wash, rinse, repeat. Exhausting.
Instead of generating a slew of alerts and then attempting to prioritize them, why is it that so few prioritize their workflow before it hits the alert queue?
A SOC doesn’t start with detection.
It starts with the identifying, classification and prioritizations of assets and data. It is a threat and a risk-based exercise, typically requiring input from several parts of the business and the overarching support of a Chief Information Security Officer (CISO). Only when this has been completed can you look to generating a prioritized, orderly queue of alerts, one that is designed for analysts to vet, qualify, and investigate the most important activity first, rather than last, or never.
Business risk is dynamic too.
In addition to ever changing cyber complexities, business priorities and threats also evolve.
Whilst the reporting of past alert activity is a pretty regular feature of any SOC review, how frequently are the existing business assets and threats reviewed, classified and prioritised? How diligently are threats re-assessed?
Alerts: Re-balance towards quality over quantity
Keeping a raw count of alerts is an entertaining …distraction.
Work with your provider to ensure that you are first alerted to the activities that are of the greatest concern, or that is likely to have the greatest impact. Naturally you don’t want to miss or ignore less critical activities, but prioritising the workflow before it hits the alert queue is far more efficient than trying to do so afterwards
In cybersecurity detection and alerts are not the end. They are not even the beginning of the end. But they are, perhaps, the end of the beginning…