Most of the day-to-day grind of security analysts comes down to investigating alerts, and altogether too many of them, on most days. Nevertheless, alerts exist for a reason and are the way analysts know something’s gone wrong and could get worse.
One way to make alert investigation not only more reasonable but more successful is to have the right tools and technologies on hand. Just like landscaping is easier with excavators than with picks and shovels, so the right high-powered solutions can take the same messy job and make it that much better.
Here are some places in which the right alert investigation technologies can make a world of difference to your SOCs. While not exhaustive, they cover a broad range and constitute a good start.
We’re (Still) Drowning in Alerts
Increased cyber threats mean increased cybersecurity solutions. Sometimes, too many of them, and not the right ones. Or rather, ones that don’t play well with others. The key to efficient and effective alert investigations is to find the tools that will bring disparate data streams together, so you have the most relevant alert information all in one place.
When you have too many solutions, they end up underutilized, unused (“shelfware”), or just contributing to alert fatigue and an environment too complex to handle. Consequently, many blind spots pop up because analysts don’t have time to address so many alerts coming from so many different sources. An IDC study reports that between 23% and 30% of alerts get ignored in companies with 500 to 5,000 employees. With the right tools, that doesn’t need to happen.
Want Network Context? SIEM logs.
One of the prime benefits of a Security Information and Event Management (SIEM) solution is that it collects logs – lots and lots of logs – from across different network solutions so you can go back and reference them for current investigations.
Sometimes, you’ve seen the same exploit before. By alerting on suspicious network activities such as the presence of malware, port scanning, or unauthorized access attempts, SIEMs aggregate important and corroborative evidence for future attacks. For example, if an IP address breached your network, you could look through your aggregated SIEM logs (from your firewall, IDS, IPS, and web server) and find out where else that IP address might have impacted your network, giving you your next clue.
While SIEM logs are great for bringing together network data, they are outclassed in scope by another great investigative tool; XDR.
Still Not Enough Visibility? Try XDR.
Extended Detection and Response (XDR) differs from a SIEM solution in that it covers not only what a SIEM does but also:
- Endpoint data
- Cloud environments
- Network traffic
It provides advanced analytics and AI-based detection capabilities to detect hard-to-catch anomalies across your network environment. Integrating even more tools and telemetries is what allows XDR to make such a big investigative difference.
As Marc Solomon, Chief Marketing Officer of ThreatQuotient, puts it, “In addition to enabling data flow and enrichment with context, integration also breaks down the silos teams operate within so they can see the big picture of what is truly happening across the environment and investigate further.” The more visibility you have into your environment, the more you can see the full story behind alerts.
Need More Hands-On-Deck? How About MDR?
Another savvy solution for alert investigation is a simple one: more tools, and more talent. Managed Detection and Response (MDR) providers offer outsourced SOCs to help with advanced threat detection, investigation, and response. They can provide 24/7 coverage of your endpoints, cloud environment, and on-premises resources, from taking in alerts to shutting down threats.
When it comes to investigations, MDR providers can automate the investigation process by collecting data (logs, telemetry, etc.) from your environment and analyzing it using threat intelligence, analytics, and human expertise. Their access to experienced cybersecurity professionals and vast amounts of threat data let them put you ahead of the game when it comes to beating the latest threats – even if you don’t have the internal resources to do so.
Need More Critical Thinking? There’s AI!
While tools are wonderful, they are only as useful as the person using them. After all is said and done, so much of alert investigation is guided by the analysts themselves. And so much of that success depends on knowing how to get to relevant information when the tools and technologies aren’t up to par. What do you do then?
Grant Oviatt, Head of SecOps at Prophet Security, notes, “If you’re lacking a threat intelligence team or your security products don’t explain their alerts adequately, there’s a wealth of open-source intelligence available. Often, a simple Google search, a check on VirusTotal, or a query to ChatGPT about the relevant details or alert content can yield deeper insights to steer the investigation forward.”
The ability to find information in cybersecurity is just as valuable, if not more, than the ability to memorize it. AI has made it very easy to retrieve and correlate information and apply human-level reasoning to it. As threat actors are always changing their tactics, the ability to think critically and problem-solve is one of the best alert investigation tools an analyst can have.
Conclusion
Alert investigation is one of those areas of cybersecurity that will always be improved upon, as it is the gateway to so many incidents that occur in plain sight. Bespoke tools and technologies are the alarm systems that are our first indication that something went wrong, and they need to be in place; the more comprehensive, readable, and manageable, the better.
But lastly, without the ability to think and find information on your own, you will always be bound to the inevitable limitations of even the best solutions. Learn to think critically. Learn the places where additional threat intelligence can be found. And make yourself into one of the most invaluable alert investigation tools in your organization.
About the author
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
