Security Experts:

A Business-Driven Approach to Prioritizing Security Alerts

Prioritizing Security Alerts

Security analysts are faced with an overwhelming number of alerts to investigate across a widening array of endpoints, computing platforms and devices. To handle this mounting workload efficiently and effectively, they must prioritize. But how? 

The answer lies in providing context. Analysts need to know when a security incident could have a material impact on their organization. At a minimum, they need to know what data and assets are most sensitive and most important to the business to protect; where these data and assets reside; who (internally and externally) has access to them; and the infrastructure those individuals use to access them.

Armed with this context, analysts can prioritize alerts according to the criticality of the people, infrastructure and/or data involved. For example, an analyst receives one alert regarding a potential issue with the CFO’s laptop and another pertaining to a kiosk featuring the lunch menu in the company cafeteria. Both alerts should be evaluated (especially if a cyber attack could spread from the kiosk to critical systems), but arguably, the CFO’s laptop should come first because it provides direct access to sensitive strategic and financial information.  

Context not only helps to set investigation priorities; it also helps to drive specific triage activities and the overall nature of the response. For example, if analysts discover that a system administrator’s laptop may be infected with malware, they’ll need to identify the IT assets the administrator has access to, and remediation will take place with a distinct sense of urgency. In contrast, if a marketing intern’s laptop begins to demonstrate suspicious behavior, the investigation and remediation will look very different, assuming the intern had no access to sensitive data and systems.

These examples demonstrate the power of a business-driven approach to security, and more specifically, how such an approach can improve threat response. By putting security alerts in the context of what matters most to the business, analysts can respond to the right incidents, at the right time, in the right manner.

Providing your analysts with the business context they need to rapidly identify and respond to the highest priority incidents is essential in today’s environment, where security resources are scarce and threats abound. Seek out security tools that link business context with security incidents, and that make it easy for analysts to immediately see which alerts are highest priority and affect the people, data and infrastructure that matter most. Prioritization may be one of our best defenses against ever-growing threats.

view counter
Michael Adler serves as the Vice President, Product, NetWitness, responsible for RSA’s NetWitness Suite product portfolio including Advanced Threat Protections for Logs, Packets and Endpoints. Michael has held previous positions at Constant Contact and Symantec. At Symantec Michael was part of the product teams that took Brightmail Email hygiene to a leadership position in the Gartner MQ, shipped Symantec Endpoint Protection to 100 million endpoints and founded the Enterprise Mobile Security product team.