9 steps to creating a narrative for security alerts that will make your team pay attention

Alert fatigue is dangerous for infosec pros not only because it wears them out; it also numbs them into ignoring evidence of a real attack. That reportedly was a factor in the 2013 Target breach.

The solution isn’t for the SIEM or similar system to deliver fewer alerts, but to push out ones with better context so the security team can make better decisions.

Easy to say but harder to do. But Joshua Goldfarb of intrusion detection vendor FireEye has come up with a solution he calls a “narrative-driven” security model to get it going. Each event needs a narrative around it — when it happened, on which devices(s) it happened on, does it look like a targeted attack and so on. Briefly, the idea is to funnel to the team a reasonably-sized queue of narratives. In a recent column Goldfarb offered a nine-step process for getting there. It’s an approach CISOs should think about:

It’s an approach CISOs should think about. The steps are:

Identify the organization’s risks, goals, and priorities;

Identify and fill gaps in your log and other data

Develop content that links prioritized risks and threats to activity; 

Improve signal-to-noise ratio to get a small number of more reliable, higher fidelity alerts based upon the content;

Concentrate alerts into unified work queue;

Enrich with automated supporting evidence such as the user, asset(s) and common procedural steps;

Automate common analysis steps;

Interleave intelligence on the threat — is it mass malware or targeted? Is a particular repetitive network activity caused by a misconfiguration, or does it match a pattern often used by a specific attack group.

Finally, send the narrative: Ideally, far less work is now required for the analyst to make an informed decision, Goldfarb writes. “Detection is greatly improved, as alerts no longer fall through the cracks or fly under the radar. Analysts spend less time waiting for queries to return, making them far more efficient. Response is much more rapid, as the time to an informed decision is greatly reduced.”

Most alerting technologies are too noisy and show too little context, Goldbarb has written, preventing enterprises from properly understanding which alerts to focus on and in what context they fired. And forensics technologies perform too slowly to allow enterprises to rapidly assemble a detailed picture of the narrative and identify what needs to be contained.

Will his system work for every CISO? That can be answered only by looking at your organization’s history of dealing with alerts. But if you’re unsatisfied with what’s being done now

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now