With Context to Understand and Prioritize Security Data and Alerts You Can Stay Focused on What Matters Most
As a security professional, wouldn’t it be great to be able to focus on one thing at a time and know you’re focused on the right things to protect the organization? Often, the day begins with a set of system notifications pointing us in the direction of alerts to triage or incidents to resolve. Unfortunately, these “priority” notifications are usually determined by global risk scores, not scores specific to your organization. Global scores cannot instill the level of confidence you need to make sure you’re focusing your resources on the right tasks.
Security professionals have one job: to protect the organization. However, we operate in a world with an overabundance of data and things to do. Events, alerts and incidents are coming at a fast and furious pace. Not to mention calls from executives who just heard the news about the latest cyber threat and need to know if the company is safe. How do you know where to start? Do you take that notification at face value, or pursue the execs’ hot button of the day, and hope whatever you select presents the highest risk?
The time has come to break from this routine and do things differently. You need the ability to sift through massive volumes of data and apply context to understand and prioritize so you can focus on the right things – quickly.
With a central repository you can aggregate and augment internal threat and event data with external threat feeds. By correlating events and associated indicators from inside the environment (for example from sources including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.
Now you can prioritize based on relevance to your environment. But what is relevant to one company many not be relevant to another, which is why you need the ability to customize risk scores based on your own set of scoring parameters. Automatically prioritizing and reprioritizing as new data, context and learnings become available, you’ll gain the intelligence you need to break out of the rut of your daily routine and focus resources on the greatest risks.
Prioritization is applicable to any use case within a Security Operations Center. Here’s just a quick look at three.
1. Vulnerability management. Prioritization can help you determine which vulnerabilities you need to address and in what order. For example, as you investigate a vulnerability related to a specific adversary campaign and indicators of compromise (IOCs), you check internal data and events. If some of those IOCs have been seen in your organization’s SIEM or ticketing system, the vulnerability is a high priority. A vulnerability that has related threats and IOCs, but those threats have not been known to target your organization’s specific industry, should be watched but is a lower priority. A vulnerability with no known adversaries using it or associated IOCs, may indicate it is not being exploited in the real world yet and can be deprioritized for now.
2. Threat hunting. With the ability to automatically prioritize threat intelligence, you can determine what to hunt for within the environment. You can start an investigation by importing the highest-risk IOCs associated with an adversary or high-profile intrusion and then run selected operations to pull in supplemental data points. You can also compare indicators across the infrastructure with internal log data to find additional connections. As new data and learnings are added to the central repository, intelligence is continuously reprioritized to support ongoing threat hunting.
3. Spear phishing. Prioritization can help you quickly make sense of suspicious emails. Comparing indicators from emails that have been forward to the security team for analysis against data in the repository, reveals high-risk emails which should be prioritized for further investigation and low-risk emails which can be categorized as noise. You can query to identify all the spear phish recipients and then overlap those findings with vulnerability scan results to determine the scope and help accelerate response and containment.
Life as a security professional has never been more challenging. However, with the context to understand and prioritize data and alerts you can stay focused on what really matters to your organization. You can make better decisions around several use cases, including vulnerability management, threat hunting, spear phishing and more. And when that next news story triggers another round of calls and emails from management, you can respond to questions quickly with detail, clarity and confidence.