Alert fatigue is a massive problem for Security Operations Center (SOC) analysts. An IBM (News - Alert) study from 2023 revealed that SOC team members spend one-third of their time investigating and validating incidents that aren’t a real threat, only get to half of the alerts they’re supposed to review every day, and spend most of their time reviewing low-priority or false positive alerts. Any process to streamline the investigation process would be, to put it lightly, welcome.
One way to achieve this goal is to enrich security alerts with contextual data. By embedding alerts with relevant details, security teams can make quicker, better-informed decisions about incident response, prioritize alerts, and ultimately protect their organizations more effectively. Here are some tips on how to do it.
Asset Contextualization
Contextualizing your assets will help you identify which are the most important so you can prioritize alerts accordingly. The best way to contextualize assets is to integrate your security information and event management (SIEM) solution with an asset management database or Configuration Management Database (CMD). This integration will ensure the SIEM can access details like asset type, ownership, location, operating system, and, ultimately, criticality to help security teams effectively prioritize alerts.
IAM Systems
Integrating identity and access management solutions (IAM) into your SIEM will enrich alert data with user roles, access levels, authentication histories, authentication attempts, multi-factor authentication (MFA (News - Alert)) usage, and any anomalous behaviors.
User Behavior Analytics (UBA) Solutions
Similarly, user behavior analytics (UBA) solutions monitor and analyze user activities for anomalous behaviors that could signal a compromised account or insider threat. Integrating a UBA solution into your SOC enriches alerts with context about the user’s role, historical access patterns, and recent login activities. This information will, in turn, help security teams differentiate between false and genuine alerts.
Access Privileges
Access privileges can also add much-needed context to SOC alerts. Contextualizing access privileges requires integrating Active Directory (AD) with your SIEM platform. This will provide your SIEM with details of users’ group memberships, roles, and access privileges, allowing SOC analysts to assess the risk associated with alerts based on the level of access involved.
Security teams should prioritize alerts involving high-privilege accounts – such as domain admins – because they present a higher risk if compromised and include recent changes to group memberships – such as unexpected additions to privileged groups – as they could indicate a threat.
Vulnerability Contextualization
Enriching SOC alerts with vulnerability context, such as data from vulnerability scan reports, is an effective way to enhance the accuracy and prioritization of security incidents. Vulnerability context provides critical information about known system weaknesses, allowing SOC analysts to make more informed decisions when responding to alerts.
To enrich your alerts with vulnerability context, you must integrate vulnerability management tools into your SIEM. Doing so adds critical details like CVSS scores, exploit availability, and patch status to alerts, helping security teams prioritize incidents based on severity and exposure level.
Network Maps and Internal Network Classification
Integrating network maps into your SIEM system will help the solution visualize network segments, zones, and asset locations. This enriches alerts to help security teams identify affected areas. To best protect their organization, security teams should prioritize alerts coming from high-risk areas—such as critical infrastructure or databases containing financial information. Enriching alerts with internal network classification data will further aid this process.
Geolocation Data
Geolocation data based on IP addresses can help security teams determine if access or activities originate from expected or unusual locations. A who.is search can provide this information. For cross-border analytics, monitor access from regions outside regular operational areas to detect potential data exfiltration or unauthorized access. Alerts with discrepancies in geographic location should be flagged for further investigation.
Non-Technical Feeds
Security teams can also use non-technical feeds, such as background checks and badge data, to enrich alert data. Background checks, for example, include the risk profiles of relevant users. For example, if an alert involves a user with a history of financial issues or criminal behavior, this may suggest a higher risk of insider threats or malicious intent. Similarly, badge access data provides context on physical access to facilities. If a user’s badge data shows they were not in the building during a suspicious login attempt, it could indicate a compromised account or unauthorized access. Conversely, if badge access aligns with digital activities, it supports the validity of the alert.
Conclusion
The dynamic enrichment of security alerts is a crucial technique for streamlining alert investigations, reducing alert fatigue, and ultimately improving an organization’s security posture. If your SOC is struggling with false positives, an abundance of alerts, or even just wants to improve its efficiency, consider the alert enrichment techniques above.
About the Author
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.