Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

A Business-Driven Approach to Prioritizing Security Alerts

Security analysts are faced with an overwhelming number of alerts to investigate across a widening array of endpoints, computing platforms and devices.

Prioritizing Security Alerts

Security analysts are faced with an overwhelming number of alerts to investigate across a widening array of endpoints, computing platforms and devices. To handle this mounting workload efficiently and effectively, they must prioritize. But how? 

The answer lies in providing context. Analysts need to know when a security incident could have a material impact on their organization. At a minimum, they need to know what data and assets are most sensitive and most important to the business to protect; where these data and assets reside; who (internally and externally) has access to them; and the infrastructure those individuals use to access them.

Armed with this context, analysts can prioritize alerts according to the criticality of the people, infrastructure and/or data involved. For example, an analyst receives one alert regarding a potential issue with the CFO’s laptop and another pertaining to a kiosk featuring the lunch menu in the company cafeteria. Both alerts should be evaluated (especially if a cyber attack could spread from the kiosk to critical systems), but arguably, the CFO’s laptop should come first because it provides direct access to sensitive strategic and financial information.  

Context not only helps to set investigation priorities; it also helps to drive specific triage activities and the overall nature of the response. For example, if analysts discover that a system administrator’s laptop may be infected with malware, they’ll need to identify the IT assets the administrator has access to, and remediation will take place with a distinct sense of urgency. In contrast, if a marketing intern’s laptop begins to demonstrate suspicious behavior, the investigation and remediation will look very different, assuming the intern had no access to sensitive data and systems.

These examples demonstrate the power of a business-driven approach to security, and more specifically, how such an approach can improve threat response. By putting security alerts in the context of what matters most to the business, analysts can respond to the right incidents, at the right time, in the right manner.

Providing your analysts with the business context they need to rapidly identify and respond to the highest priority incidents is essential in today’s environment, where security resources are scarce and threats abound. Seek out security tools that link business context with security incidents, and that make it easy for analysts to immediately see which alerts are highest priority and affect the people, data and infrastructure that matter most. Prioritization may be one of our best defenses against ever-growing threats.

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...