Rapid Security Alert Triage

Are you like most organizations, only processing a small fraction of current security alerts? Do you need more security alerts or do you need to better analyze the alerts you have?

The current volume of security alerts far exceeds security teams’ capacity to assess if they represent actual security incidents or are false positives. With a shortage of skilled security staff, increasing infrastructure complexity, an avalanche of security data, and a more sophisticated and determined adversary, there’s no relief on the horizon. Security alert and event analysis is too time-consuming with current tools. See Security Analytics Brings Data Driven Security into the 21st Century .

  • 76% of IT security teams are constantly searching for security tools that make staff more efficient.
  • 74% of security professionals cite challenges with increasing infrastructure complexity and 68% say day-to-day security activities take too much time.

Implications of the Problem

The increasing volume of security alerts can overwhelm already overburdened teams that now must triage alerts more rapidly than we’d imagined. Tool and skillset limitations slow and yield improper analysis of an alert’s impact and scope. Responding too slowly, or failing to accurately assess an indicator of threat or breach, increases risk of breach and data loss.

Solution – Immediate Insight

Until now, scaling the alert triage process has required additional staff or increasing risk by excluding a portion of alerts from the triage process. The addition of Immediate Insight (link to product page) changes that, enabling current security teams to triage more alerts and accelerate incident response. Immediate Insight enables analysts to triage security alerts and get answers to their queries within seconds, not minutes or hours.

Search and analytics-enabled discovery and analysis allow users to click through any part of alert to explore associations, anomalous activity and changes in behavior – all without learning a query language and regex (regular expressions).

With fast and easy alert and data discovery, Immediate Insight enables users to quickly analyze security alerts, reducing risk for the organization.

Key Features

  • Search responds in seconds, so the cost of a query is negligible, reducing the reluctance to “click through”. (By “click through” we mean investigate the root cause a specific event. Experience has shown that the investigation process can be long, most often leading to nothing – a false positive.)
  • Correlates infrastructure changes reported by Security Manager with infrastructure data. Was an event associated with a change made to the security infrastructure or some other external event or threat?
  • Compares events or groups of events across arbitrary time periods – “how does the current activity compare to the previous period, the same time yesterday, or the same time last week?”
  • Teach the system the risk profile of internal assets. Risk profile metadata is automatically added to events and alerts, enabling operators and analysts to focus on the most risky incidents and threats.
  • Add personal commentary and context directly to the data. One click analytics (microscope, metadata, fewer like this, find similar, add note, or alert) provide quick access directly from an event to more detailed information, refined search results, add context, or automatic actions.
  • Implicitly correlates common entities and similar events to see what’s associated with the analyzed event.

Positive Outcome

More quickly disposition incidents and threats as false positive or legitimate.

Accelerate alert triage and reduce costly escalations and incident response team formations.

Increases efficiency and effectiveness of the IT organization in reducing risk and exposure of security threats and breaches.