Last Updated on July 6, 2021
In today’s busy business environments, NOC teams either investigate alerts one by one, start ignoring some of them, outsource, or look for automated solutions to help them prioritize and sort the heap of incoming alarms.
The trouble is that most alarms are either unimportant or could be solved by a simple solution of “fix”, which does not even require human intervention. However, without an automated triage system, the manual investigation remains a time-consuming solution that puts a lot of stress on the engineers.
A potential alternative currently gaining momentum is training AI-based tools to address this – an alternative which is best described as AI-powered process automation in Alert Triage (see Siscale’s Arcanna.ai for more details). The goal is to only escalate a few critical alerts to the human team, avoid false positives, and ensure no crucial alert is considered trivial and overlooked.
How does alert triage work?
When a breach occurs, alert triage should classify the situation as high risk and high priority and notify the NOC or SOC teams immediately. When an alert is created, the triage system decides if it should be ignored or escalated.
This process compares the alert’s signature with previous data from historical logs, previous breach cases, and other complex know-how. Each evaluation looks at the affected assets, the intention and source of the attack, the unfolding of the attack, and so on. The scope of the alert triage is to get information as quickly as possible and assign it a severity score.
To work properly in an automated form, the company needs first to define the ground rules as processes. Using definitions and having clear thresholds for what is considered dangerous can reduce alert noise considerably.
When performing threat detection, the processes need to first identify the potential problem by evaluating the entry point, the damage already made, and the magnitude of the problem. The second step is to put the threat into a broader context, and the last step is to contain the attack, neutralize it, and restore the system status, documenting all the actions taken along the way.
The most significant issues are related to the volume of incoming alerts and the potential false positives.
In an ideal setting, the know-how of all team members is saved into a shared library and consolidated to improve incident response time and solutions specifically for your organization’s setup.
AI-powered decision support
Customizing alert responses to your organization is a job for an AI-based tool that uses big data to learn about your company and translate that into appropriate attack responses. Once the training and calibration are complete, the system saves time and resources by simply applying the decision matrix automatically.
Compared to other monitoring tools, the difference is that AI alert triage is all about putting things into context and investigating each event as part of a more extensive system to determine if it can be closed and marked as safe or needs to be acted upon quickly.
Artificial intelligence (AI) helps support teams eliminate false positives by implementing root cause analysis. This technique tries to find the actual trigger of the alert instead of just solving the outcomes. The algorithm goes upstream through a series of possibilities, computing at each step the potential correlations. Causality is also considered, and each event is continuously compared to similar patterns in an existing database.
For example, Siscale’s Arcanna.ai triage process continuously receives data from the system and escalates those alerts, which tick all the boxes of a disaster waiting to happen. Statistically, these could be less than 1% of the total signals a security system handles in total since most of the others are either noise or duplicates. The tool creates a ticket after it makes additional checks that the detected situation is genuinely dangerous. But what is the most important aspect that Siscale brings into this equation: the Deep Learning model learns not only from the data it’s analyzing, but also from the solutions given by the human experts, constantly adapting itself to the “ecosystem”.
This is a totally different approach from the SOC team’s reactive ways when a high-risk alert was detected. By changing the approach to a proactive and surveillance mode instead of firefighting alarms, the organization stays ahead of threats. It has enough time to respond when something critical happens since the engineers can focus their full attention on the most delicate issues.
Effective security alert triage systems and platforms
A good alert triage platform can eliminate false alarms, dismiss unimportant notifications, and integrate seamlessly with other tools such as ERP, SIEM, and more.
When choosing an AI-based solution, ask about its capacity to process data from various sources, regardless of the format you have stored. It would help if you had an algorithm that can process historical logs and almost real-time alerts.
The goal is to look into all possible connections and identify the unfolding of the attack, presenting the system analyst with an overview with drill-down possibilities.
An effective triage system reduces alert noise by 90% or more by investigating millions of potential connections and going into a wide array of forensic investigations every second to determine the attacker’s intentions, pathways, and strength.
Having a machine-learning-powered alert triage system is essential. Instead of performing an entire incident response process, the algorithm determines whether this is necessary or not.
High-performance security tools can give accurate responses to several questions, including:
- Was sensitive data leaked outside the organization?
- Were credentials compromised, eventually giving admin privileges to unauthorized users?
- Is there the risk of a backdoor?
- Are there any trojans or malware present in the system?
- Is there any tentative to communicate with external servers?
All these and more are critical questions for a system’s safety and integrity. In the case of an actual attack, speed and accuracy can translate into savings of millions and protect the organization’s reputation.
Final thoughts about triage alerts
To summarize, an organization’s cybersecurity system is not complete without using intelligent tools that automate the alert triage process. Relying on manual inspection of each alert is not feasible due to the volume and velocity of incoming data. A ticket-based security model is only realistic after carefully filtering out the noise and keeping only those alerts that are real threats to the system. Otherwise, the risk is to have an overwhelmed and disengaged security team.