We're about to throw some numbers at you, but bear with us: We think you'll find this fascinating. 

There are 86,400 seconds in a day. Compare that to the average daily noise create by security information and event management (SIEM) solutions – anywhere between 10,000 and 150,000 alerts – and what are you left with? 

Well let's say you have 24/7 analyst-supported monitoring. In that case, the low end, 10,000 alerts, gives you about 8.6 seconds to respond to each alert, twice that amount if you have two security analysts staffed, which is still only a fraction of a minute. The high end, 150,000 alerts, means you have 0.5 seconds to investigate each alert. Assuming you have five security analysts staffed 24/7/365, that's still only 2.5 seconds per alert for forensics. Most people can't even tie their shoes that quickly. 

This is to say, there literally aren't enough hours in a day to handle security alerts. 

A tightrope of terror

It's fair to say that many organizations are walking a very fine line when it comes to security analysis. To reduce the number of false positives, analysts set up certain rules and configurations that will help scale back on noise. Of course, this a tough balancing act: If you're too withholding in your governance, you risk false negatives, i.e., threats that might have been detected with more rigid configurations.

Conversely, being overly precise may result in an unfavorable quantity of false positives. This risks dividing your security analysts' attention too thin as they triage innocuous alerts, which is problematic for several key reasons:

  1. Analyzing large amounts of false positives is not the best use of your resources, and there is in fact such as thing as security ROI.
  2. Haste makes waste, as they say; a rushed security analyst is a less effective security analyst.
  3. Alert fatigue induces an overly stressful work environment for analysts, and that expertise is difficult to replace should it jump ship for a business that supplies better threat detection and response resources.  

In other words, there's much more at stake than just your overall security posture. There's the risk of money wasted chasing dead-end alerts, and there's the ever-present concern that you'll lose your analysts, which are easily your security operation center's most valuable resource. 

One strategic misstep, and it's a long way down. 

The automation X-factor : Context

Intelligent security automation can more deeply contextualize security alerts than your standard SIEM. Just because a certain network event appears to deviate from a configuration doesn't mean it's a true indicator of compromise (IOC). A security automation platform can determine this for itself because advanced correlation and machine learning allows it to develop a replete understanding of historically threatening and non-threatening behaviors.

As a result, that platform can automatically classify certain alerts as being the lowest priority. This facilitates the creation of a tiered ranking system by which analysts can determine how to most effectively utilize their time. Only the top-ranking alerts will be investigated in depth. The outcomes of those investigations are subsequently looped back into the security automation platform for future context. In this way, the platform quite literally learns. 

So while the days certainly aren't getting any longer and cybercrime isn't getting any less prolific, we still have an edge over the black hats. 

Let's use it. 


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More