Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

A Business-Driven Approach to Prioritizing Security Alerts

Security analysts are faced with an overwhelming number of alerts to investigate across a widening array of endpoints, computing platforms and devices.

Prioritizing Security Alerts

Security analysts are faced with an overwhelming number of alerts to investigate across a widening array of endpoints, computing platforms and devices. To handle this mounting workload efficiently and effectively, they must prioritize. But how? 

The answer lies in providing context. Analysts need to know when a security incident could have a material impact on their organization. At a minimum, they need to know what data and assets are most sensitive and most important to the business to protect; where these data and assets reside; who (internally and externally) has access to them; and the infrastructure those individuals use to access them.

Armed with this context, analysts can prioritize alerts according to the criticality of the people, infrastructure and/or data involved. For example, an analyst receives one alert regarding a potential issue with the CFO’s laptop and another pertaining to a kiosk featuring the lunch menu in the company cafeteria. Both alerts should be evaluated (especially if a cyber attack could spread from the kiosk to critical systems), but arguably, the CFO’s laptop should come first because it provides direct access to sensitive strategic and financial information.  

Context not only helps to set investigation priorities; it also helps to drive specific triage activities and the overall nature of the response. For example, if analysts discover that a system administrator’s laptop may be infected with malware, they’ll need to identify the IT assets the administrator has access to, and remediation will take place with a distinct sense of urgency. In contrast, if a marketing intern’s laptop begins to demonstrate suspicious behavior, the investigation and remediation will look very different, assuming the intern had no access to sensitive data and systems.

These examples demonstrate the power of a business-driven approach to security, and more specifically, how such an approach can improve threat response. By putting security alerts in the context of what matters most to the business, analysts can respond to the right incidents, at the right time, in the right manner.

Providing your analysts with the business context they need to rapidly identify and respond to the highest priority incidents is essential in today’s environment, where security resources are scarce and threats abound. Seek out security tools that link business context with security incidents, and that make it easy for analysts to immediately see which alerts are highest priority and affect the people, data and infrastructure that matter most. Prioritization may be one of our best defenses against ever-growing threats.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.