Chapter 5: Qualifying Security Intelligence

underscores the importance of assessing security intelligence
to validate an incident and prioritize the organization’s initial
response to it.

1.Understand the importance of alert analysis
2.Learn the key facets of doing a risk level assessment
3.Review criteria for incident declaration and prioritization

Alert Analysis

Qualification begins with a security administrator’s review and
analysis of the alerts produced by the SIEM. Let’s look at the
major elements of alert analysis: evaluating the validity of each
alert and improving detection capabilities.

Evaluate each alert’s validity

A security administrator should take reasonable measures
to determine if an alert is valid. Sometimes this is fast, such
as immediately seeing clear evidence of a major attack succeeding. In other cases, alert analysis is considerably more involved. A security administrator may need to review supporting data held by the SIEM, and even reach back to the original sources of that data for additional information

No one is to blame::

In conjunction with determining
if an alert is valid, a security
administrator may need to find
out whether it’s being triggered by
an actual security incident or an
operational problem. For example,
suppose that a server is suffering
from a denial of service. This could
be caused by an attack, but it
could also be the result of sudden
interest in a particular product
generated by a video that has
“gone viral.”

Improve detection capabilities:

1.Tune logging sources, especially enterprise
security controls

Examples are reconfiguring
an intrusion prevention system (IPS) to stop
reporting certain events as attacks or to use a
different threshold for declaring activity to be

2.Supplement existing logging sources.

If logging capabilities aren’t robust enough, they may
need to be enhanced. For example, some SIEM
solutions offer software that can be installed and
configured on endpoints to collect data on a wider
range of events and to collect more detailed information on each event.

3.Tune the SIEM:

The SIEM itself may need an
adjustment to take into account the unique characteristics of the environment or to compensate for
quirks in logging sources that can’t otherwise be
addressed. For example, the SIEM could be reconfigured to ignore certain events or assign them a
lower priority.

Risk Level Assessment:

a security administrator may need to adjust the
SIEM’s assessment and prioritization based on factors not
necessarily available to the SIEM. Possible additional factors for human consideration include the importance of the target
and the current attack lifecycle phase.

Importance of the target:

for human consideration include the importance of the target
and the current attack lifecycle phase.

Current attack lifecycle phase

If feasible, the security analyst should determine the threat’s
position in the attack lifecycle. As previously discussed,
threats should be stopped as early in the attack lifecycle as
possible to minimize damage.

Incident Declaration and Prioritization

The last step in qualification is incident declaration and
prioritization. At this point, the security analyst has validated
the SIEM alert and assessed the risk posed by the associated
threat. It’s now time to determine if an incident should be
declared and what priority it should be assigned.

———————————————Collected from Definitive Guide™ to Security Intelligence and Analytics————————————————————————–————————————

Shajib Mahmud

Leave a Reply

Your email address will not be published. Required fields are marked *