We're about to throw some numbers at you, but bear with us: We think you'll find this fascinating. 

There are 86,400 seconds in a day. Compare that to the average daily noise create by security information and event management (SIEM) solutions – anywhere between 10,000 and 150,000 alerts – and what are you left with? 

Well let's say you have 24/7 analyst-supported monitoring. In that case, the low end, 10,000 alerts, gives you about 8.6 seconds to respond to each alert, twice that amount if you have two security analysts staffed, which is still only a fraction of a minute. The high end, 150,000 alerts, means you have 0.5 seconds to investigate each alert. Assuming you have five security analysts staffed 24/7/365, that's still only 2.5 seconds per alert for forensics. Most people can't even tie their shoes that quickly. 

This is to say, there literally aren't enough hours in a day to handle security alerts. 

A tightrope of terror

It's fair to say that many organizations are walking a very fine line when it comes to security analysis. To reduce the number of false positives, analysts set up certain rules and configurations that will help scale back on noise. Of course, this a tough balancing act: If you're too withholding in your governance, you risk false negatives, i.e., threats that might have been detected with more rigid configurations.

Conversely, being overly precise may result in an unfavorable quantity of false positives. This risks dividing your security analysts' attention too thin as they triage innocuous alerts, which is problematic for several key reasons:

  1. Analyzing large amounts of false positives is not the best use of your resources, and there is in fact such as thing as security ROI.
  2. Haste makes waste, as they say; a rushed security analyst is a less effective security analyst.
  3. Alert fatigue induces an overly stressful work environment for analysts, and that expertise is difficult to replace should it jump ship for a business that supplies better threat detection and response resources.  

In other words, there's much more at stake than just your overall security posture. There's the risk of money wasted chasing dead-end alerts, and there's the ever-present concern that you'll lose your analysts, which are easily your security operation center's most valuable resource. 

One strategic misstep, and it's a long way down. 

The automation X-factor : Context

Intelligent security automation can more deeply contextualize security alerts than your standard SIEM. Just because a certain network event appears to deviate from a configuration doesn't mean it's a true indicator of compromise (IOC). A security automation platform can determine this for itself because advanced correlation and machine learning allows it to develop a replete understanding of historically threatening and non-threatening behaviors.

As a result, that platform can automatically classify certain alerts as being the lowest priority. This facilitates the creation of a tiered ranking system by which analysts can determine how to most effectively utilize their time. Only the top-ranking alerts will be investigated in depth. The outcomes of those investigations are subsequently looped back into the security automation platform for future context. In this way, the platform quite literally learns. 

So while the days certainly aren't getting any longer and cybercrime isn't getting any less prolific, we still have an edge over the black hats. 

Let's use it. 


Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More