2022-01-20T05:53:00Z

How do you decide about the alert severity in your Security Operations Center (SOC)?

Hi SOC analysts and other infosec professionals,

Which standard/custom method do you use to decide about the alert severity in your SOC? 

Is it possible to avoid being too subjective? How do you fight the "alert fatigue"?

EB
Director of Community at PeerSpot (formerly IT Central Station)
  • 8
  • 1029
7
PeerSpot user
7 Answers
Luis Apodaca - PeerSpot reviewer
IT Support and Network Admin at Escuela Carlos Pereyra
User
Top 5
2022-01-25T14:18:21Z
Jan 25, 2022

I think first of all you need to establish what resources you want to handle in your operation and then how important is each. Once you get it a try based on a "Venn diagram" or an "Eisenhower chart" to apply the resolution tools fatigue is coming from not knowing what tool should use or if the resource with an incident is in danger or not. 


Only then you can configure some rules, the information coming from there is gonna give the necessary details for making more decisions.

Maybe, I'm very subjective but there is a very large group of solutions and strategies. Not always it's gonna be the same scenario.


So what you need is a criterion, professional skills, and then... being patient and embracing yourself


Good luck!

Search for a product comparison in Network Monitoring Software
Robert Cheruiyot - PeerSpot reviewer
IT Security Consultant at Microlan Kenya Limited
Real User
Top 5Leaderboard
2022-01-20T08:49:45Z
Jan 20, 2022

Hi @Evgeny Belenky,


I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority.


But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence. 


Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.

EB
Director of Community at PeerSpot (formerly IT Central Station)
Community Manager
Jan 20, 2022

@Robert Cheruiyot thank you for such an in-detail answer!

PeerSpot user
reviewer1331706 - PeerSpot reviewer
I&T Design & Execution Reliability Engineering Leader at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
2022-01-26T13:13:01Z
Jan 26, 2022

It depends on the information in your current alerts. E.g if the alert has the priority or the severity field, it will be normal to use this field. 


I will assume tha in your current alert system you do not have the severity or priority field. 


The next option would be to look at the alert code. Most alarms have a number or a code, indicating the alarm, and it is the reference to documentation - what this alarm means and how to resolve it.  


I would then recommend to use this code. Get a list of alarm codes, discuss and determine the severity for this code. Once you have this, you should be able to use this list to match alarms and set the automatic severity, timelines, etc.

Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a retailer with 10,001+ employees
Real User
Top 5Leaderboard
2022-02-01T21:45:11Z
Feb 1, 2022

1. Original thresholds from your tool.


2. Number #1 plus an internal business sense for each asset (other tools, CMDB attribute, SID - Security ID and/or classification tags (baseline, stringent, internet-facing, workstation...).


3. A combination of both, for example, and an extra risk-machine indicator, vulnerability exposure, correlation together with other critical processes.


4. Using a reference framework (NIST) or a mandate from regulators (SEC, ENISA, PCI, HIPAA, ...).


For alert fatigue, you'll need to optimize step-by-step (manual or using automatic/AI features) controls, tunning false-positive and filtering inconsistencies based on PDCA/baby-steps/Continuous Improvement models.

BH
IT Security Coordinator at a healthcare company with 10,001+ employees
Real User
Top 5
2022-01-24T14:08:16Z
Jan 24, 2022

I think the first step is configuration. 


When teams are 1st deploying a new tool, working closely with the vendor to set up the best configuration possible to tune down the alerting for the least false positives, is critical to the success of your soc. 


Even paying the extra for a 3rd party tool configuration assessment can be the difference in millions of alerts from vendor recommended alerting. 


Then there is a phase of "tuning" where you are in the monitor mode to see what the worst and best alerting is and you go from 80% to 90% false positives. That last 10% is hardest with each tool and causes the most work and the most pain, but if successful you have less critical alerting firing off each device. 


Feeding this to the SIEM is where you get the biggest bang for your buck when doing correlation of events, setting proper alerting triggers even for critical alerts can help you prioritize even those. 


If you are looking for 10 alerts in the SEIM out of 6 million, you have to prioritize what sets those 10 above the rest so they stick out the most, critical assets, hashtags, threat feeds, UEBA, etc. - all of the things mentioned above are critical to that endeavor.

Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Real User
ExpertModerator
2022-01-20T09:39:00Z
Jan 20, 2022

Hi @Evgeny Belenky​,


Below are a few strategies if taken into account can reduce cybersecurity alert fatigue in SOC.


1. Threat intelligence


2. Native integration


3. Machine learning


4. Watchlists


5. UEBA (User and Entity Behavior Analytics)


6. Automation

Learn what your peers think about Auvik. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
734,678 professionals have used our research since 2012.
Real User
Top 5
2022-12-21T04:17:03Z
Dec 21, 2022

There are various approaches that organizations can take to help ensure that alert severity is properly assessed and to mitigate the impact of alert fatigue.


- One approach is to use a standardized system for evaluating and assigning severity levels to alerts. For example, organizations may use a scale such as the one defined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which assigns severity levels based on the potential impact and likelihood of an incident.

Another approach is to use automated tools or algorithms to help determine the severity of alerts. These tools can analyze the data and context associated with an alert and associated with threat intelligence to help determine its likelihood and impact, which can help reduce subjectivity and improve the accuracy of the severity assessment.


To fight alert fatigue, organizations can adopt a number of strategies, such as:



  • Prioritizing alerts: By prioritizing alerts based on their severity and likelihood of impact, organizations can focus their attention on the most critical incidents and reduce the number of lower-priority alerts that need to be reviewed.

  • Implementing automated triage and response: Automated tools can help analyze and respond to lower-priority alerts, freeing up time and resources for security analysts to focus on more critical incidents.

  • Providing ongoing training and support for security analysts: Ensuring that security analysts have the necessary knowledge and skills to effectively evaluate and respond to alerts can help reduce the burden of alert fatigue.

  • Implementing a robust incident response process: A well-defined and standardized incident response process can help ensure that incidents are handled in an efficient and consistent manner, reducing the need for analysts to constantly reevaluate and respond to alerts.

  • Correlating alerts to stories rather than the alert itself. Evaluate based on stories rather than individual alerts.

  • Leverage AI to identify normal things in your alerts.

Related Questions
US
Editor at PeerSpot
Aug 16, 2023
Hi community, Why is Network Monitoring Software important for companies? Share your thoughts with the rest of the community.
See 2 answers
US
Editor at PeerSpot
Jul 25, 2023
Network Monitoring Software is important for companies because: -It helps ensure the smooth functioning of the company's network infrastructure. -It allows companies to proactively identify and resolve network issues before they impact business operations. -It helps in optimizing network performance and improving overall efficiency. -It provides real-time visibility into network traffic, allowing companies to monitor and analyze network usage patterns. -It helps detect and prevent security breaches and unauthorized access to the network. -It enables companies to track and manage network devices, such as routers, switches, and servers. -It assists in capacity planning by monitoring network bandwidth and identifying potential bottlenecks. -It helps comply with industry regulations and maintain data privacy and security. -It provides valuable insights and analytics for making informed decisions regarding network upgrades and investments. -It helps reduce network downtime and minimizes the impact of network outages on business operations.
Harish (Kumar) - PeerSpot reviewer
Cyber Security and IT Head at Aeren
Aug 16, 2023
Let me describe with Example: E-commerce Website A network monitoring software is crucial for an e-commerce company: 1. Detecting Issues: It alerts IT about slow website response or errors, so they fix them before customers notice. 2. Optimizing Performance: By tracking popular products and traffic patterns, the company ensures smooth browsing even during high demand. 3. Enhancing Security: Unusual traffic patterns trigger alerts, helping stop unauthorized access attempts and safeguard customer data. 4. Planning for Growth: Monitoring predicts resource needs as the company expands, ensuring smooth scaling. 5. Allocating Resources: It identifies resource-hungry sections, enabling balanced resource distribution for consistent performance. 6. Troubleshooting: Detailed logs aid in identifying and fixing downtime causes quickly. 7. Meeting SLAs: Historical data ensures the company fulfills uptime and performance promises in customer agreements. In all, the software maintains a secure, high-performing, and reliable online shopping experience, fostering customer trust and business growth.
US
Editor at PeerSpot
Jul 25, 2023
Hi community, When evaluating Network Monitoring Software solutions, what aspect do you think is the most important to look for? Share your thoughts with the rest of the community.
See 1 answer
US
Editor at PeerSpot
Jul 25, 2023
The most important aspects to look for when evaluating Network Monitoring Software solutions are: -Comprehensive monitoring capabilities: The software should provide a wide range of monitoring features to track network performance, including real-time monitoring, bandwidth usage, device health, application performance, and security monitoring. -Scalability: The solution should be able to handle the size and complexity of your network, whether it is a small office or a large enterprise network. -Ease of use: The software should have a user-friendly interface and intuitive navigation, allowing network administrators to configure and manage the monitoring system easily. -Alerting and notification system: The software should have robust alerting capabilities to notify administrators of network issues or anomalies via email, SMS, or other communication channels. -Customization and flexibility: The solution should offer customization options to tailor the monitoring system to your specific network requirements and allow integration with other tools or systems. -Reporting and analytics: The software should provide detailed reports and analytics on network performance, allowing administrators to identify trends, troubleshoot issues, and make informed decisions. -Compatibility and integration: The solution should be compatible with a wide range of network devices, protocols, and operating systems and offer integration with other IT management tools. -Security features: The software should have built-in security measures to protect sensitive network data and provide features like user authentication, access controls, and encryption. -Vendor support and community: It is essential to consider the reputation and support provided by the software vendor, including documentation, training resources, and an active user community for troubleshooting and knowledge sharing.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
AS
Director, Middle East, East India & SAARC at DMX Technologies
Aug 26, 2022
Modern-day servers are robust enough to accommodate as many applications and processes as possible. Still, there is a limit to how much load a server can handle. If your business does not heed the server constraints in time, you are bound to suffer from operational loss due to server downtimes. To closely monitor your server health, you must track specific metrics regularly. Here are some s...
See 1 comment
AW
Marketing & PR Specialist at AdRem Software
Aug 26, 2022
Collecting as many metrics, statuses, and logs about the servers is indeed the first step, you never know what data you will need to solve a particular problem. The second step is to process and correctly pinpoint where the network performance/behavior differs from the expected range/baseline.  Can your network monitoring software automate the obvious (execute remote corrective actions in response to alerts) and notify the IT person about only critical situations where the human needs to make a decision about the resolution options? We expect the network monitoring software today to do just that.  I would say NetCrunch can do it, but do you have any experience with other monitoring products that provide a similar type of monitoring experience for IT teams?
NC
Content Manager at PeerSpot (formerly IT Central Station)
May 2, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 8 Network Monitoring Software Tools ...
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
AS
Director, Middle East, East India & SAARC at DMX Technologies
Aug 26, 2022
7 Most Important Metrics of Server Monitoring Software
Modern-day servers are robust enough to accommodate as many applications and processes as possibl...
Download Free Report
Download our free Auvik Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
DOWNLOAD NOW
734,678 professionals have used our research since 2012.