Making sense of an overwhelming amount of data is one of the biggest challenges of any Security Operations Center (SOC). It’s complicated to digest millions of different appliance logs and events – and to find the observables that matter, thereby detecting real incidents. It is especially hard to align findings within the cyber security kill chain, which is used by possible adversaries while attacking organizational infrastructure. Cybersecurity professionals frequently refer to the process of connecting all of these dots, “Finding the needle in the haystack.”
False alerts generated in the SOC are an ongoing reality for SOC analysts, adding stress to what is an inherently challenging work environment. The question is how to reduce the number of false positives to improve the efficiency of the SOC.
At CyberProof, we find that the number of false alerts can be minimized by leveraging risk-based mapping of use cases, which can be used to improve an organization’s security posture and reduce mean time to response.
At CyberProof, we find that the number of false alerts can be minimized by leveraging risk-based mapping of use cases.
Implementing risked-based mapping starts with data collection. Every security or infrastructure appliance gives you different key value pairs of information, and to make sense of this data requires normalization using a common information model in your Security Information and Event Management (SIEM). For security events, this could be, for example:
Implementing risked-based mapping starts with data collection
Utilizing normalized data in a risk-based mapping first requires implementing detection rules in your Security Information Event Management (SIEM).
At CyberProof, for example, we use a Use Case Factory for this process. The Factory can be imagined like the brain of a very efficient “Use Case Machine” - providing optimized and tuned rules, that trigger an alert only when something significant happens.
Our Use Case Factory can be imagined like the brain of a very efficient “Use Case Machine” - providing optimized and tuned rules, that trigger an alert only when something significant happens.
The challenge is connecting different alerts to a single source of an incident. This is achieved through correlation and risk-based mapping:
Risked base mapping is achieved as follows:
The efficiency of the SOC is improved when incidents and alerts are automatically enriched in a common orchestration platform. Additional information around observables from threat intelligence feeds, for example, can be orchestrated in a detailed playbook that provides SOC analysts with maximal possible insights for analyzing and responding to cyber threats.
These innovations ensure that SOC analysts are not overwhelmed with meaningless information, which takes time to investigate - and to pull together additional Information from stakeholders. Automation and enrichment help to reduce alert fatigue and drastically improve the mean time to respond to cyber security threats.
Interested in learning more about how to improve the cybersecurity posture of your organization? Contact us!