“But I played it perfectly!” – The Importance of Tuning

“But I played it perfectly!” – The Importance of Tuning

By Ethan Butts – Information Security Analyst – Intrinium  

“But I played it perfectly!” – The Importance of Tuning

Today in Cybersecurity, a Security Incident Event Manager (SIEM) is just a necessity. It collects and sorts all your events and logs in to an easily readable format and makes alerting a breeze.  It allows you to combine threat feeds, rules, and correlation that can be performed against multiple sources to come together to provide the most relevant information. However, this can bring rise to new problems. Which of these alerts are really functional? Which ones bring my analysts actual data they can use? These are the new questions being brought before security teams today, and ones that are vital to preventing Alert Fatigue and Obscurity by Suppression.

Alert Fatigue occurs when the quality of alerts is low, and the number of False Positives begins to desensitize the Analyst. This can lead to an analyst closing legitimate alerts in a daze, having closed so many other similar tickets with false positive findings that they don’t question it further. Obscurity by Suppression occurs when the number of alerts, legitimate or otherwise, is too high, and resources are unable to adequately research findings. This can lead to incomplete research, ill-informed bans, and a plethora of other issues that proper tuning and remediation procedures can mitigate. This leaves only the alerts that truly need review for the Analyst’s, who now have enough time to perform actual in-depth analysis.

So how do you tune?  There are many ways to approach this, but here at Intrinium we have found the following questions to be a good guide to finding the balance between information and actionable data. While this is not an exhaustive list, these questions can provide a starting point to streamlining your workflow and avoiding burying yourself or your analysts in noise.

  1. What is my analyst supposed to do with this alert?”
    • When this alert arrives, what actions can your analyst take?
    • There are several alerts that may not actually provide any insight to your analyst or may simply add information to another case.
    • These can be tuned out, or set to a schedule, which we will address next…
  2. “How often do I need to check this?”
    • Often, alerts can be set to a report version and sent on a schedule. Does every AD Change done by my Infrastructure team need to be an alert, or can I review them the next day at a meeting?
    • Data Loss Prevention (DLP) is a large part of organizational security. While some alerts may demand immediate attention, others may be fine to wait for a scheduled review at a predetermined time. This must be determined on a case by case basis.
  3. “Is this data really useful?”
    • SIEMs intake loads of logs and make them readable, and we aren’t going to say that you shouldn’t intake all the logs! However, some sources are trusted, some destinations may be business critical, and these may need less strict policies to help minimize noise that they can cause.
  4. “How Critical is this alert?”
    • Prioritization is important, especially when Service Level Agreements (SLAs) enter the mix. Adjusting and setting a Priority to an alert gives you the confidence to know that it can be prioritized as needed, and receive the attention it deserves, while the noise can be left behind.
      • This is one of the benefits of outsourcing a SOC, as many MSSP’s offer levels of service that provide contractual response times via SLA’s.  
      • In the case of an In-House SOC, there are no SLA’s to enforce. For prioritization, it is critical to ensure that resources have clear expectations of times for response and resolution and are aware of the assigned priorities.  
    • Placing in levels of severity can help Analysts focus attention, as well as allow better reporting for clients as to what happened in their environment, and why the actions taken were performed.
    • NOTE: Priority doesn’t necessarily mean impact. Several SIEM Solutions, Including IBM’s QRadar and Alienvault’s USM can perform checks based off several features of the alert, including several factors such as
      • Age of the Alert
      • Reliability of the Alerting Resource
      • Relevance of the Alert
      • Impact of the Alert should it remain unchecked
      • Other Vulnerabilities and Threats on the Host
  5. “Which resources/Toolkits are needed for this?”
    • Some tickets may require additional work and resources, as they may be cumbersome or widespread and require many moving pieces to be corrected. Ensure that your team is aware of these instances, and that they have the freedom and ability to request assistance and mobilize to correct these actions quickly, as every second counts!
  6. “Listen to the Boots on the Ground!”
    • Your analysts are dealing with these every day, reviewing security incidents, drafting rules, and in general mapping the threat landscape in several ways. Remember to use this information wisely! If a resource comes to you about an alert that needs removed, or one that needs created, listen to them! They are your eyes and ears in the field, and every suggestion is worth a review! The worst that happens is you have shown your employees that you value their opinions and take their thoughts to heart.

This is meant to start the security conversation regarding tuning in your organization, which may have different security postures than the case noted above. If you are having problems or get buried and don’t know where to turn, outsourcing a review or remediation may be a good step. Having knowledgeable people come in and institute best practices while instructing your users in using the device can be a great help, and is a way to improve security posture immediately, while still pushing towards more educated and better designed Resources and Solutions.

Pin It on Pinterest

Share This