Lessons and advice from the cyber defense front lines.
We just returned from .conf and RBA was on the top of everyone’s mind in the Security world.
Haiyan Song - Splunk SVP of Security - posted a blog last week (linked below) touching on Splunk’s vision for Security Operations.
We share this vision and can help your company reduce your security alerts immediately by implementing RBA.
Our CTO and co-founder, Stuart McIntosh will be presenting at .Conf 2019. The talk is titled “Tales from a Threat Team: Lessons & Strategies for Succeeding with a Risk-Based Approach” (SOC 1908)
You can view Stuart’s 2018 talk on RBA here:
“Say Goodbye to Your Big Alert Pipeline, and Say Hello to Your New Risk-Based Approach”.
https://conf.splunk.com/watch/conf-online.html?search=sec1479#/
While working in a Fortune 500 company we were continually struck with a problem, the more detections we write, the more alerts our SOC get and they are already buried.
We had already designed and implemented a self-expiring whitelist process which helped with the alert fatigue, but it was not the root problem just a symptom.
Whenever asked what a problem might be we are quick to offer up a smaller one, one we can wrap our mind around, one that might have a solution. Those were our previous approaches to tacking why security alerting and response seemed to not be working well.
We stepped back and tore each piece of the process apart and could not see the root issue but when we took a step back we found the very nature of the alert process was the root issue, a detection causes an alert. As much as you tune, automate and staff you cannot escape that fact. But what if we could, truly be able to take a threat analyst view of multiple detections and then decided if it needed to make an alert?
Our vision became clear, score anomalous detections based on attributes an analyst would use, confidence, impact and context. What we created was eventually called Risk Based Alerting (RBA) and was presented at the annual Splunk .conf conference:
Say Goodbye to Your Big Alert Pipeline, and Say Hello to Your New Risk-Based Approach
Quickly we found this approach resonated with others and we began discussing where this approach could lead, how far could you build this decision making into the alerting and the handling of security anomalies?
We have made the jump into consulting so we can help other companies take the same approaches to maturing their security programs and innovating within them. If you are interested in talking feel free to reach out to us.
