We really enjoyed this post from Anton Chuvakin on discussing the need for local context with security detections.
https://medium.com/anton-on-security/role-of-context-in-threat-detection-f7076e71f206
Incorporating local context into your alerting methodologies is a challenge for numerous companies, and we have seen the struggle firsthand. However, when you do get it right - blending local/cultural context with detections does unlock huge potential within SOCs. And when you apply that context systematically at scale, we see companies enjoy:
Fully leveraged usage of all their security tools and security data (or at least on the path to)
Incredibly high fidelity in their alerts (50-60% true positive as opposed 10-12%)
Very few duplicate alerts
Rapid, repeatable, and thorough alert handling / incident response
How could you see local context help your detections? What business processes would you like to make your detections aware of? How could network segments or a user's business unit help change the alert priority? How would the “known good” functions of a server change the sensitivity of an alert threshold?
We hope Anton's article and these questions help you to envision the ROI of infusing local context into your detections.