Connect with us

Hi, what are you looking for?


Incident Response

A Business-Driven Approach to Prioritizing Security Alerts

Security analysts are faced with an overwhelming number of alerts to investigate across a widening array of endpoints, computing platforms and devices.

Prioritizing Security Alerts

Security analysts are faced with an overwhelming number of alerts to investigate across a widening array of endpoints, computing platforms and devices. To handle this mounting workload efficiently and effectively, they must prioritize. But how? 

The answer lies in providing context. Analysts need to know when a security incident could have a material impact on their organization. At a minimum, they need to know what data and assets are most sensitive and most important to the business to protect; where these data and assets reside; who (internally and externally) has access to them; and the infrastructure those individuals use to access them.

Armed with this context, analysts can prioritize alerts according to the criticality of the people, infrastructure and/or data involved. For example, an analyst receives one alert regarding a potential issue with the CFO’s laptop and another pertaining to a kiosk featuring the lunch menu in the company cafeteria. Both alerts should be evaluated (especially if a cyber attack could spread from the kiosk to critical systems), but arguably, the CFO’s laptop should come first because it provides direct access to sensitive strategic and financial information.  

Context not only helps to set investigation priorities; it also helps to drive specific triage activities and the overall nature of the response. For example, if analysts discover that a system administrator’s laptop may be infected with malware, they’ll need to identify the IT assets the administrator has access to, and remediation will take place with a distinct sense of urgency. In contrast, if a marketing intern’s laptop begins to demonstrate suspicious behavior, the investigation and remediation will look very different, assuming the intern had no access to sensitive data and systems.

These examples demonstrate the power of a business-driven approach to security, and more specifically, how such an approach can improve threat response. By putting security alerts in the context of what matters most to the business, analysts can respond to the right incidents, at the right time, in the right manner.

Providing your analysts with the business context they need to rapidly identify and respond to the highest priority incidents is essential in today’s environment, where security resources are scarce and threats abound. Seek out security tools that link business context with security incidents, and that make it easy for analysts to immediately see which alerts are highest priority and affect the people, data and infrastructure that matter most. Prioritization may be one of our best defenses against ever-growing threats.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights