Organizations that have acquired technology to deal with threats have found themselves dealing with too many alerts, a growing number of tools contributing to the chaos, and a shortage of qualified talent to get the job done. There are two key ways to obtain alerts that matter. One can create alerts that matter, or use existing alerts and determine how to make the alert matter through enrichment.
Three Objectives / Takeaways
1. Provide insight into treating the symptoms of alert fatigue
2. Provide attendees the information needed to apply this in their own organization
3. Distribute knowledge from experience building and growing a SOC
Session Details
“Alerts that matter” are alerts from which enough information can be derived to determine what actions should be taken or what workflow should be initiated to work the alert until to resolution.
Organization that have acquired technology to deal with the unknown threats have found themselves dealing with too many alerts, a growing number of tools contributing to the chaos, and a shortage of qualified talent to get the job done. The result is security teams that are overworked, understaffed, and lacking meaningful context to separate important alerts from the noise.
There are two key ways to obtain alerts that matter. One can create alerts that matter or use existing alerts and determine how to make the alert matter through enrichment. In this presentation, we will explore both methods as each has its merits.
Creating Alerts That Matter
Architecture
Taking in consideration your architecture, ongoing deployments, and configurations is the first step in creating alerts that matter.
Tuning Strategy
The industry is constantly complaining about “alert fatigue”. Although this is a real problem, tuning of those alert throwing tools are often overlooked.
Making Alerts Matter
Consolidation
Too often we find ourselves having to jump from machine to machine, tool to tool, to just gather enough information on whether or not an alert is a true positive.
Escalation Policies
It’s 2am and we have an incident, should I wake up the CISO? What information is needed for each department to appropriately take action on an active incident? Your team should should be able to quickly find the answers to these question through threat classification and standardized notifications.
Analytics
In addition to pulling data from a myriad of internal sources, incident responders also need to understand the external factors that play into the incident at hand.
Actions
How and what you’re performing actions on is important. Ensuring issues do not repeat and if they do, understanding the why is critical. Tracking these outcomes and ensuring on repeatability will make the difference from a good SOC to a great SOC.