Struggling to Make Better Security Decisions? These Tips Can HelpPOSTED BY LIZ BUSH
Unintended consequences – the unforeseen outcomes of actions we take – are all around us. It may be an unforeseen benefit, but, more frequently, it’s an unexpected drawback that can create a new problem or make a situation worse.
In the security industry, Security Operations Center (SOC) and Incident Response (IR) teams often face unintended consequences when they try to make better decisions faster by bringing in more data feeds and investing in more analytic behavioral detection tools. Despite their good intentions, these actions do not drive improve decision making. Instead they often make the problem worse – burying staff under data and adversely impacting decision making due to alert fatigue.
Through our work, both previously as practitioners and now with clients, we’ve seen the challenges in making better security decisions and have developed best practices to overcome the pitfalls of alert fatigue and introduce situational understanding to make decisions faster.
The first step is to gain context which comes from aggregating and authenticating internal security indicators (indicators of compromise and event data) with external threat intelligence. Examples of threat-based contextual intelligence include the origin of the data, the distribution method, the actors, the target victims, attack vectors, target data, etc. Having the right context empowers analysts to perform alert triage, separating alerts carrying immediate risk from those that carry high risk, but that can be addressed later. Alert triage reduces alert fatigue by facilitating differentiation of one high priority alert from another and focus time and attention for maximum impact. But it must be done quickly and continuously, using automation, to keep up with the flood of critical alerts analysts face every day.
In our new report, 5 Steps to Making Better Security Decisions, we discuss how to gain context, why it is important to incorporate it earlier in the analysis process, and how context facilitates the next two steps in making decisions – prioritization and focus. We then explore how security teams and technologies can operate more efficiently and effectively to enable the final two steps for better decision making.
Ultimately, SOC and IR teams must avoid the unintended consequences of more data feeds and analytic behavioral detection tools by ensuring these investments are being fully utilized for situational understanding and better decision making. These five time-tested steps can help.