With the sheer number of alerts bombarding security teams, even complete triage is not always possible. Expert security analysts scan the alerts and determine the most significant ones. While their judgment or instinct is generally correct in highlighting alerts that likely indicate significant security events or incidents, smaller, seemingly insignificant findings are often ignored. Sometimes these are meant to be reviewed later, but that rarely happens if new alerts keep pouring in.
The Process of Prioritizing Alerts
Teams determine top priority alerts based on several factors:
- The tool creating the alert has already categorized these as their most important category of alert. Harried analysts will first look to these in performing their triage.
- Security teams prioritize alerts about more important infrastructure or attack surface parts. For instance, an alert that indicates an event inside a data center carries more weight than a general network alert or something happening on an endpoint.
- And similarly, certain tools carry greater priority over others, particularly in terms of what they monitor and how they operate. Indications of lateral movement have importance over general intrusion detection alerts. Tools using behavioral analytics usually command more attention than those that don’t because they help to catch unknown attacks.
- Analysts want to avoid false positives and will rule out anything that smacks of being erroneous or insignificant.
Even after all these assessments, there are still a considerable number of alerts in a “hard to tell†or “it’s probably nothing†category. In an ideal world, these would all be investigated in due time. Unfortunately, with the unrelenting number of new alerts and other demands pressing upon teams, an analyst rarely has the luxury of investigating these, even later. They are quickly forgotten…
Determining the Role of Minor Alerts
It is not wrong how security teams triage and that the more minor alerts get assigned, the lower priority. Should these minor alerts be ignored altogether? The reality is that when push comes to shove and teams are understaffed and overworked, minor alerts remain ignored. Is there value to these alerts? Many are likely of no consequence. There are some, however, that might make all the difference between finding an attack early or not finding one until after the damage is already done.
These lesser alerts may be important in two ways. First, it may be that individually, the alerts cannot convey anything that seems significant. When considered together, however, they may point to attack activity that might otherwise be missed. In this case, the whole picture is far more valuable than the individual alerts or data points.
Every Data Point Matters
Putting these data point pieces together may not be intuitive when spread over a large team or part of many findings that a single analyst may have to scan or review. One premise of Open XDR is that every data point matters, and “the more, the merrier†regarding feeding input into the system. Some of these data points may not matter, but including them helps ensure that nothing was missed that could be an important clue. Some may not be important, but others might provide essential context or important corroboration of attack activity..Â
Think of it this way. In a large retail store, a person walking in with a hat, dark sunglasses, or a hoodie may not raise any concerns, but if, within two minutes, ten similarly outfitted individuals walk in, that might warrant attention. Or, if a person with a hoodie walks in, and then several small disturbances occur (a person falling, something getting knocked over or spilling, etc.) and one of the security cameras mysteriously goes out, that might be a solid clue that something strange and potentially damaging is going on.
See More: How Enterprises Can Secure Endpoints With Extended and Managed Detection and Response
Automating Comprehensive Data Review with Open XDR
The key to an Open XDR system is to utilize advanced machine learning to automatically correlate these findings to find the forest from the trees in a way individuals or teams may not. Such systems welcome data from all sources. Even well-staffed teams with reasonable workloads would not likely handle such volume. Reviewed manually, each data point may be considered minor or insignificant because it might only be slightly anomalous and not close to any threshold of being malicious. These points provide a more precise picture of attack activity when properly correlated and analyzed. For instance, some alerts may signal a substantial change indicative of something malicious, such as an email click through to a suspicious website or an unknown powershell script executing with high privilege on an endpoint. Other alerts may look like day-to-day business activities, such as a large volume of data transfer between internal assets or a SaaS app (like Office 365) sharing policy changes.
A second way that lessor alerts might be vitally important is that they may serve as corroborating data or evidence to higher priority alerts that may get some review or assessment but would ultimately have dismissed. Security analysts are slightly more likely to connect the minor and major findings, but the tendency would be to miss it just because of the volume of alerts, amount of work, and lack of resources. Again, a good Open XDR system should be able to correlate the minor data points with more major ones to increase the precision and speed of finding an active attack. Whether serving as an individual data point to establish a big picture or as more corroboration, “minor†data points are important for the speed and fidelity of uncovering potential attack activity.
The task of finding an active attack quickly and with a high degree of accuracy is difficult. The odds are overwhelmingly in favor of an attacker not being detected. To vastly change the odds, an entirely new approach to security is needed, one where every data point is important and counts towards finding what might otherwise be hidden. By moving from complete dependence on individual security tools to centralizing all data and alerts—including the large and the small—such as with Open XDR, organizations can gain new advantages over attackers and no longer be relegated to the losing end. Ideally, data should not be ignored, but, rather considered in total to give organizations an edge in preventing or mitigating attacks.
How have you determined which security alerts are a threat and which ones are false positives? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!