The Value and Basics of Tuning – Part 2: Leveraging your Tools and Expectations

The Value and Basics of Tuning – Part 2: Leveraging your Tools and Expectations

By Augusto Melo – Information Security Analyst– Intrinium

In this two-part blog series, we will explore how to properly leverage a Security Operations Center (SOC) and a SIEM (Security Information and Event Management) solution to monitor the network and assist in preventing incidents for your company.

In the second part of this series, will continue to explore the SIEM and what to expect by leveraging both tools.

Every organization at some point will experience a cybersecurity breach. To help prevent such incidents, organizations are encouraged to invest in a SOC (Security Operation Center) operation and a SIEM (Security Information and Event Management) solution to monitor and investigate suspicious network events in real-time. By investigating events that could indicate potential compromise, a 24/7/365 SOC operation can drastically reduce the risk of security incidents and associated damages.

Before being able to effectively monitor specific network, events and respond to security incidents, a SOC operation needs a reasonable knowledge of the target environment. However, in the pursuit of maximum coverage, without the proper understanding of a network, many SOC’s will adjust their SIEMs to report anything remotely suspicious. Although there is nothing inherently wrong with ensuring you don’t miss out on suspicious events, this strategy will also guarantee alerts may become too noisy and flood the SOC with false positives.

As a result, your SOC will begin to experience alert fatigue and gradually become desensitized to potential incidents. In this scenario, the risk of infections increases, and your organization may experience a breach that could have been avoided by simply reducing the volume of false positives.

Although the best event tuning strategies won’t completely eliminate false positives anytime soon, they are still valuable to reduce alert fatigue and resulting security risks. In the following sections, we show some tips to help you improve your network monitoring while also reducing alert fatigue.

Know Your SIEM 

Once you understand the network, it’s time to understand your SIEM solution. More specifically, what it can and cannot do and how it detects potential incidents. Although modern SIEM’s have gradually moved to auto-adaptable Machine Learning and AI-based detection, heuristics are still heavily used as a simple, cheap and yet effective way – if properly applied – to detect potential incidents. This means that in most SIEM’s you can tweak detection rules by manually setting the proper chain of events and thresholds, so they reach optimum accuracy without losing too much visibility. For example, if users forget or mistype their passwords, you may receive excessive amounts of authentication failure alerts during business hours. In this scenario, you may want to increase the detection rule threshold to alert after several failures by the same user. This won’t considerably increase the risk of missing an incident and will help reduce the number of false positives. 

Know What to Expect 

Although we expect SIEMs and the SOC to detect anomalies or all kinds in real-time, it is important to know what you are looking for and what to expect. When deploying SIEMs, your SOC will be alerted of all kinds of events, but some events do not impose considerable risk when contextualized to your organization. For example, if you spot an exploitation attempt that only affects Linux hosts against a Windows server, your SOC will likely mark any further alerts as noisy false positives after the first investigation. Therefore, be prepared to tune out alerts that don’t apply to your network as soon as they start affecting your team’s performance, so the proper focus is given to higher risk events. In other words, if an alert doesn’t apply to your network, don’t alert.  

Following these tips will help you fight alert fatigue and ensure your team focuses on what matters most. But remember, completely eliminating the risk of infections is impossible as long as you’re connected to the internet. Moreover, even with the best tuning strategies, missing out on something important is still possible. This is not a deal breaker. After all, in Information security, everything comes down to managing risk, and the risk imposed by alert fatigue needs to be balanced with preventing unnecessary noise. If you would like to learn more about this topic or have any further questions, we invite you to contact us today



Pin It on Pinterest

Share This