Over the past twelve months, enterprises continue to face further onslaughts of security data from disparate systems, platforms and applications concerning the state of the network, potential threats and suspicious behaviour. It continues to challenge every Security Operations Centre (SOC) and Incident Response (IR) team as they look to address impacts to security operations, vulnerability management and incident response with better and faster decision making.
To do this, many organizations are bringing in more data feeds — both threat and vulnerability — and investing in analytic behavioural detection tools. Unfortunately, this is not driving improved decision making. Instead, it is burying staff under data. The result is a decline in decision-making capability due to alert fatigue.
To combat this, organizations should follow five simple steps to enable better and faster decision making.
Step One: Make Prioritization the First Priority
Separating the probable from the possible with context enables analysts to ascertain one high priority alert from another, empowering them to prioritize. Prioritization is critical and to underscore this point, the National Institute of Standards and Technology (NIST) states in its Computer Security Incident Handling Guide, “prioritizing the handling of the incident is perhaps the most critical decision point in the incident handling process.” Prioritization applies to not just incident response, but all critical alerts. The ability to prioritize gives the analysts the breathing room necessary to focus on what matters, addressing the highest priority alerts first.
Step Two: Gain Context
Alert triage reduces alert fatigue by facilitating quick differentiation of one high priority alert from another. The best method to achieve this differentiation is by incorporating contextual information. Having the right context empowers analysts to separate alerts carrying immediate risk from those that carry a high risk, that they can address later.
One of the best means to gain context is through aggregating and authenticating internal security indicators (indicators of compromise and event data) with external threat intelligence. Unfortunately, most organizations incorporate threat intelligence only after they classify an event as suspicious. We see this as a missed opportunity because threat intelligence provides valuable context long before an event is considered suspicious.
The right context helps the SOC and IR teams separate the possible from the probable. Otherwise, everything is possible making all high priority alerts equal. For example, an anomalous outbound activity alert from a bank’s development server is possibly malicious. It requires further investigation, regardless if this is a malicious or a benign event. In contrast, integrating threat intelligence that shows the IP addresses are command & control (C&C) sites explicitly targeting financial services organizations indicates this alert is probably a beacon requiring immediate blocking and incident response.
Step Three: Focus on Making Better Decisions
By reducing noise and providing a means to differentiate one high priority event from another, security analysts can focus without incurring alert fatigue. And, when analysts focus, they make better decisions. It is where team orchestration comes in. Every member of the team must ensure they have the same understanding of the situation, the risks, the impacts and next steps.
Team coordination is a top challenge for security and risk managers. To address this, some organizations are instituting playbooks into their SOC and IR activities. Playbooks map out the critical steps to move from detecting a suspicious event to classification, analysis and response. They are also a flow model for executing repeatable steps along the path of incident response. These models are extremely helpful for mapping and in some cases automating various stages in the process. However, playbooks are static and limited in their ability to affect team decision making because they lack a crucial ingredient: real-time, situational intelligence.
Step Four: Increase Effectiveness through Situational Intelligence
There is a difference between getting everyone on the same page and making sure everyone has the information they need to do their job. For example, a threat analyst will be looking for information about active threats in the wild, known threats to the organization and all the unique indicators of the potential threat actor, with an emphasis on the reconnaissance, weaponization, delivery and exploit steps of the Cyber Kill Chain (CKC). Contrast this with an IR analyst focusing on Indicators of Compromise (IoC) related to exploit, installation, C&C and actions on objectives steps in the CKC. Both team members are working on the same problem, but their intelligence needs are different, yet, related.
We call this different, yet, related intelligence, situational intelligence: presenting the right information to the right person at the right time. Situational intelligence, derives from bringing together the machine data generated by all the security devices (e.g., SIEM, IDS/IPS, endpoint, HIDS and FW) and integrating it with threat intelligence. The goal is to provide situationally relevant insights to the team member analyzing the data. Situational intelligence gives the team member the actionable information they need to work more efficiently and effectively as part of a team effort. When all team members have the right information at the right time, and the team is operating on the same page, we call this universal understanding. Universal understanding is a tipping point in team dynamics when the team is operating at full effectiveness.
Step Five: Collaborate to Make Better Security Decisions, Faster
So far, I have outlined steps on the mechanics of making better decisions. How do organizations make better decisions faster?
It is where a collaborative investigation workspace takes the playbook concept but makes it dynamic to reflect real-time team decision making and puts it into action through automation. The underlying framework and flow are laid out, tracking the actions and interaction of the team in real-time. The seamless collaboration workspace enables team members to make better decisions, faster by providing:
- A global view: A universal perspective showing all teams and team members involved in the investigation and their activities, across the entire organization, divided by region or speciality focus
- Focused knowledge: Keeping the big picture in mind with consistent, shared global knowledge, while still supporting localized concentration.
- Test, then talk capability: Team members can work through their hypotheses in parallel, test their theories, and then report to the broader team.
Security teams continue to face significant alert fatigue from a continual barrage of high priority alerts. The expanding threat landscape and the increasingly dynamic nature of IT operations are the primary contributors to this alert escalation.
The only way SOC and IR teams have a chance to overcome alert fatigue is to introduce threat intelligence to add context, which facilitates prioritization and triage. Doing this helps to make better decisions, but the team also needs to be aligned and synchronized.
It is challenging for many teams because they are dispersed and specialized. They need a consistent way in which to operate, so everyone is on the same page, while still focusing on their role in the decision-making process. Achieving this requires situational intelligence and working within a seamless collaborative environment. Ultimately, doing all the above positions teams for universal understanding which is the basis for making better decisions, faster.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.