Defense-in-depth is a strategy we’re all familiar with – layering defenses so that if one fails, another layer is there to stop the attack. However, one of the challenges with this approach is that each layer in the security architecture creates its own logs and events leading to a phenomenon called “alert fatigue.”
Analysts are so overwhelmed by the volume of security alerts that 42 percent say their organization ignores a significant number and more than 30 percent say they ignore more than half, according to research by ESG. To try to reduce the noise, analysts undertake the onerous task of manually correlating external threat data and intelligence feeds with logs and events from internal sources including their security information and event management (SIEM) system, log management repository, ticketing and case management systems, for investigations and other activities. But this manual approach to alert triage requires significant work on the part of the analysts and can create more noise in the form of false positives.
To overcome the alert triage challenge, analysts need a way to efficiently and accurately go through alerts to determine which ones matter most and require human attention and eliminate the ones that do not. The process requires three things:
- Prioritization. Lots of threat intelligence providers publish “global” risk scores based on their own research, visibility and proprietary methods. But what is relevant to one company may not be relevant to another. To improve alert triage, you need to be able to prioritize based on relevance to your environment. With ThreatQ’s custom risk scoring you can prioritize alerts based on your own set of scoring parameters.
- Collaboration. When dealing with alerts in the gray zone of importance and those that are high-priority, you need access to additional tools and security staff so you can take the right action faster. ThreatQ Investigations enables visualization and collaboration so you can simplify alert triage, perform deeper analysis and engage with other teams as needed to accelerate investigations.
- Learning. If a false positive does slip through, you need a continuous feedback loop so you can learn and improve the quality of alerts over time. As new data comes in and learnings are shared, the ThreatQ self-tuning Threat Library automatically reprioritizes to reduce false positives in the future and hone the alert triage process.