Hi SOC analysts and other infosec professionals,
Which standard/custom method do you use to decide about the alert severity in your SOC?
Is it possible to avoid being too subjective? How do you fight the "alert fatigue"?
Hi @Evgeny Belenky,
I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority.
But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence.
Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Jan 20, 2022
Hi @Evgeny Belenky,
Below are a few strategies if taken into account can reduce cybersecurity alert fatigue in SOC.
1. Threat intelligence
2. Native integration
3. Machine learning
5. UEBA (User and Entity Behavior Analytics)
Hi community members,
Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback!
What are the pros and cons of internal SOC vs SOC-as-a-Service?
Join The Moderator Team at IT Central Station (soon to be PeerSpot)!
Share your experience with other peers by ans...
Keeping up with the evolution of cybersecurity and the threats that are haunting the IT industry across all industries, this text pays special attention to ransomware, as this practice is on the rise in the world of cybercrime. Let's focus on the subject, specifically on the Healthcare sector. We are based on Sophos' annual report on cyber threats, which discusses the continuity of ransomware...
We receive alerts all day long - alerts about emails, incoming Whatsapps and SMSes, posts on social media, etc. At some point we become desensitized to these alerts and stop noticing them anymore - a phenomenon known as “alert fatigue.” Seventy percent of a SOC analyst’s workday is spent dealing with alerts, so SOC analysts are more at risk for alert fatigue than pretty much anyone else.
Mitigation is taking your car in for an oil change and tune up.
Remediation is them finding you have a blown gasket seal and replacing the parts and greasing the engine to make your engine doesn't blow. AKA security vulnerability management.
Mitigation: the act of reducing how harmful, unpleasant or bad something is.
Remediation: the process of improving or correcting a situation.
Please, see this material from CERT and check phases and differences.
Mitigation is pre-emptive. Remediation is reactive. Others have provided excellent examples.
Mitigation is the implementation of RAID storage.
Remediation is the recovery of a failed disk.
Both may be needed over the lifecycle, but the level of effort for remediation is much higher and the quality of recovery is significantly lower without mitigation - net the cost of doing business is higher without mitigation.
Let's say in an IT environment:
"Mitigation" moves your virtual machines or containers to another Virtualization server to keep production while you find and solve the problem.
"Remediation" is, in fact, finding the problem, solving it, taking notes and preventing it from happening again.
Those are just examples.
Mitigation is changing the flat tire. Remediation is getting the nails off the road.