Recipe for an Actionable Alert
By Dan Ramaswami
As soon as football season rolls around and I start to see pumpkins on doorsteps, I start to think about holiday dinners. What’s the menu, and are there any new recipes, say for turkey? Is there some new cooking method we should try – fried, or maybe smoked? After searching for a while, I realized that the basics are pretty much the same from one cooking method to another. As long as you don’t turn it into sawdust, everyone is generally pretty happy to eat turkey! But the real difference comes down to the mix of spices and its appeal to the family and friends we plan to share this with.
It got me thinking that finding the right spice recipe for just the right roasted turkey is similar to how we work with our clients to create actionable alerts within Netography Fusion®. Granted, the ingredients we need to create an actionable alert focus on the right data and organizational context – not salt, pepper, thyme, lemon, butter, etc. Instead, our recipe includes things like host, user, application, and governance and compliance information. But you see where I’m going with this, right?
To take this analogy a little further, there are many questions surrounding the event itself I need to ask before I can RSVP. Are we available on the date and time? What’s the dress code? What will be served and what else can or should we bring? Think of these questions as the location or organizational-specific information you also need to help determine what actions to take.
All of this data comes together (like the recipe below) and results in our action to attend, or not to attend. Similarly, the right combination of context and data points is what makes alerts actionable.
So, here’s my recipe for how to create an actionable alert.
Preheat SOC to 325 degrees.
Take 1 whole detection.
- 2 cups host-based information (1 part sender/ 1 part receiver, divided equally) – may contain host operating system and configuration information
- 3 Tbsp of application/service information (can substitute port information to identify application or service)
- 2 tsp user information
- 1 tsp location information
- 2 pinches of governance and compliance awareness
Apply liberally to the detection.
Bake in the SOC until the desired doneness is reached, basting frequently.
Remove from the SOC and serve immediately to the incident response team.
Note: While you should rest a turkey to allow it to set up, we all know if we let an incident rest the attackers will definitely get set up, so do not rest!
This meal should be consumed quickly, frequently, and adjusted for your tastes as needed.
Netography makes it easy to source all the ingredients you need. There’s no need to wait until you get an alert and then look for and apply context from different tools and signaling technologies, or wait until the data gets into the SIEM so you can send a query that might take hours to process. Instead, we enrich cloud and on-prem network flows and metadata with context at the time of ingestion.
- We apply host-based information about the sender from technologies including your threat intel feeds, and our own intel and enrichment sources. While receiver information is available in your configuration management database (CMDB) and endpoint detection and response (EDR) systems.
- Application information is available from numerous tools that collect data on what is running on the local hosts.
- User information is readily available in places like Active Directory, identity and access management systems (IAM), and even on local hosts.
- Governance and compliance comes from policies your organization sets and can be incorporated into dashboards, widget views, and even detection models for alerting.
- Location information, which can include a physical address, a department or room within a specific campus, and the security controls in place, is available in a CMDB or perhaps a Confluence or Google Doc page.
Obviously, this recipe is tongue-in-cheek. But the work we do with customers is no joke. Leveraging our Netography Fusion platform, we make it easy to bring in organizational-specific context and data to create high-fidelity, actionable alerts. Instead of “sifting” (pun intended) through logs, tables, and spreadsheets manually searching for data to determine if an alert is important or, worse, becoming desensitized to alerts due to overload, our simple recipe ensures teams focus on alerts that matter.