- Detect – often times the information found in an incident or an alert from your SIEM vendor is enough to warrant further investigation. Without this step, we’re back in the Stone Age.
- Validate – This is where we get stuck. While the alarm, alert, incident or event (depending on your nomenclature), may have potential indicators of compromise, often times it warrants additional investigation about the context of this data. Which application executed this? What are the user’s permissions? Is this device joined to the domain? Which organization is it related to? Who is its asset owner? When was the last time this account was used? Have I seen this before?
- Prioritize – While most of us get stuck on “validate”, prioritization can also be difficult when a large number come in a short period of time. Where should we start? Patient Zero? Our Business Process Services?
Users,CN=Builtin,DC=hawkio,DC=local, CN=Group Policy Creator
For product and security analytics developers and service providers, accuracy requires innovation in data enrichment to capture the true context of the events that make up security incidents. Precise analytics are driven by well-enriched telemetry data that factor in the environment’s risk factors and will drive reliable incident response.
Next up in the on “Trusting Analytics Enough to SOAR” blog mini-series is a deeper dive into the requirements of meaningful data enrichment of security telemetry. Check it out!