Vignesh Kannan, Sr. Solution Architect at Paladion, discusses how best to handle alert triaging and analysis in cybersecurity when resources are scarce.
Out on the virtual battlefield of cyberattackers and cybersecurity teams, security alerts can be numerous. Some of them may be without real consequence, but others could be fatal if left unattended. They all need to be assessed, to understand if they should be addressed as a priority, put in a queue for handling later, or simply left as they are. Then the right actions of remediation and elimination must be taken in each case.
How do you sort today’s high volumes of alerts?
The sorting process is known as triaging. Originally, this term came from the real battlefields of the First World War. Casualties were evaluated fast (a matter of life or death for some!) and placed into categories for emergency treatment or transport. The sorting was imperative, as there were not enough resources to treat all casualties immediately.
The same kind of sorting is needed for cybersecurity alerts. However, manual resources for triaging are typically even more limited compared to the vast amounts of alerts that the network and systems of an enterprise can generate. Each security solution such as an intrusion prevention/detection system (IPS/IDS), web application firewall (WAF) or security incident and event management (SIEM) system generates its own alerts. To make things even more difficult, alerts that may seem insignificant on their own may take on much more importance when grouped together, for example, indicating the path of an attack in progress.
Key information you should know for each priority alert
To understand what it means for the cybersecurity of your enterprise, you should have the following information about each alert:
- Is it (part of) an attack?
- Has the attack been successful?
- What is the source IP score?
- What is the destination IP score?
- What is the threat feed score?
- What is the vulnerability score?
- Has the user account involved been compromised?
- What other assets were compromised?
- What are the associated vulnerabilities?
- What is the attack density?
- Was this event associated with any other event or an artefact?
- What activities did the attacker carry out?
- How should the organisation respond to this attack?
Combining artificial, human and threat intelligence
To answer the questions above, human judgement and experience, while still crucial, cannot cope with the volume and speed at which today’s alerts arrive. On the other hand, the right technology allows all alerts to be analysed and correlated in one place, without missing any of them. It gives quasi-real time results with detailed alert information and scoring. The use of Artificial Intelligence (AI) within the technology allows insights and recommendations to be made about what the real threats are and how to treat them. The full attack story can be made available even before it starts to attain dangerous proportions.
This combination of artificial and human intelligence also allows the critical problem of alert fatigue to be avoided. This problem occurs when human security analysts must examine high volumes of frequent alerts. Familiarity can then breed contempt, with alerts increasingly dismissed as being of no importance.
Fortunately, technology, ever vigilant, can spot the alert that corresponds to an attack and that might otherwise have gone unheeded. Threat intelligence then helps put alerts into context, comparing them with overall threat activity. Instead of obliging analysts to compile their own databases of information, well packaged threat intelligence can raise cybersecurity productivity by an order of magnitude.
Putting together a complete, cost-effective solution
The final call about what to do is will still be down to human security analysts. Artificial Intelligence can handle a large amount of the workload, but it cannot do everything. If an enterprise’s own resources are stretched, a third-party incident analysis service coupled with smart alert triaging can maintain the security posture that the enterprise needs.
In Paladion’s incident analysis service, analysts also produce a highly specific incident analysis report. The report describes the attack and contains detailed mitigation steps for the IT and cybersecurity teams of the enterprise to follow. Status and progression of attack analysis can be seen at any time by the customer using the online reporting tools and analytics made available.
Depth of analysis and insight from the Paladion service into alerts and incidents goes significantly beyond basic indicators of compromise (IOCs). Case management is done systematically to trace alerts from validation to investigation. Attack statistics are compiled to show which attacks happen the most frequently and to which targets. Overall, by executing smart alert triaging and analysis, including recommendations for action, the service relieves customers of much of the alert triaging and analysis workload and brings their cybersecurity back down to manageable proportions again.