Alerts are undoubtedly critical in delivery of an effective Cybersecurity operation, but sheer volume of alerts, including false positives, can be crippling to a SOC. In this blog we’ll talk about the steps you can take to reduce the false positive alerts, freeing up your analysts to provide more pro-active defence and less ‘alert bashing’. We talk openly about the challenges we’ve faced in this area and how we’ve seen drastic improvement through a process designed to save analyst time without increasing security risk.
The challenge of false positives
When we talk to customers, one of the most common challenges is analyst retention and recruitment.
We firmly believe that analysts should be elevated above simple ‘alert bashing’ and whilst this will still be an element of the job, it should be a minor element, with more time given to more valuable tasks to the defence of a network. Tasks such as vulnerability analysis, playbook crafting, pro-active threat hunting, incident response planning, customer engagement and more.
How we automated 80% of alerts
As a business that focuses on delivering a SOC-as-a-Service, we face the same problems that many non-security specialist organisations face. In March 2020, we created a plan to significantly reduce human-processed alerts. By August 2020, we had halved this number while onboarding new customers. Since then, for some customers, we have automated as many as 80% of alerts.
We knew that automating alerts could be risky, given that there’s the chance to miss a genuine threat if it’s too close to an automation rule and that’s why we didn’t set out to fix anything overnight.
Continuous improvement
We started with a new swarm team assessing the noisiest alerts, reviewing them daily, weekly and monthly to understand what could be automated and triple-checking in each instance to be sure we weren’t missing a potential threat. In fact, at the start of this process, it took us longer to automate and then review the alerts we had than if an analyst had just looked at them, but we knew the end goal would be critical to our service improvements.
We’re not going to sit here and pretend we’ve got it absolutely perfect, but each day, week and month we improve both our service and our automation capability.
Fix it yourself or pass the challenge on to another company?
Depending on your set up and capability, it may be better to engage in a trusted partner to take the alerts from your team, automating and manually analysing them (using co-authored playbooks, suited to your organisation and risk appetite) and then passing over real tickets and incidents for your security team to look at. This will not only reduce the time your teams spend on mundane tasks but also significantly enrich their jobs. It gives them time for professional development and allows them to focus on more interesting investigations.
info@e2e-assure.com or visiting www.e2e-assure.com/contact.
