Security event alerts serve as a key component to any enterprise’s SIEM solution; these alert (appropriately enough) your IT security team to the security events and correlations indicative of a threat on your network. When used in conjunction with log management and threat detection, security alerts significantly improve visibility into your enterprise network.
However, your SIEM’s alerting system can prove a double-edged sword: even the most advanced next-generation SIEM solution can and does create false positives—alerts which mistake everyday activity or an innocent mistake as a potential security incident. These false positive alerts can stretch your IT security resources and talent thin. In turn, they can increase the burnout rates in often dangerously understaffed cybersecurity departments.
Compounding the dangers of false positives, legitimate security alerts often end up buried under the false positive alerts. This allows the former to dwell and thus cause additional damage as IT security teams investigate the false positives or neglect the alerts altogether due to burnout.
The solution to this problem, thankfully, lies in another SIEM key capability: contextualization.
What is Contextualization?
Contextualization, especially real-time contextualization, as a capability takes care of some of the investigative legwork of analyzing security alerts as they are generated. They can provide IT security teams with relevant supplemental information associated with the security alerts. This can include the users involved, their enterprise departments, the location of their activity geographically and on the network, and the time of their suspicious activity.
With this information correlating the threat with real-world activity, your IT security team can understand security alerts in greater depth and thus pursue the incidents in a much more streamlined and focused fashion rather than haphazardly chasing every lead. It also allows them to detect and remediate threats faster than ever before.
In some senses, you can think of contextualization as an extension of UEBA capabilities, as the SIEM solution analyzes user and entity behavior to recognize malicious activity and validate security alerts before your IT security team sees them.
As with any technology, contextualization is not perfect; you will still need an energetic and engaged security team to make sure your cybersecurity platform functions optimally and knows what behaviors are considered suspicious. However, contextualization can alleviate some of the burdens on them and free them to more actively pursue digital threats.
Where Can I Get Contextualization for My SIEM?
Legacy SIEM solutions won’t offer the threat detection, security event correlation, alerting or contextualization your enterprise needs. Without these capabilities working in tandem and as part of a comprehensive cybersecurity platform, your enterprise will be woefully underprepared to face modern digital threats like fileless malware and advanced persistent threats. As a first step, your enterprise should select and deploy a next-generation SIEM solution, working with your security to ensure its optimal performance.
And as you make your selection, evaluate each solution’s alerting system. Do they offer the contextualization you’ll need to keep the security alerts from overwhelming your security professionals? What information does it draw upon for its contextualization? And what information does your team need to make the best decisions?
With this information in hand, selecting the right SIEM solution should be a snap.
Latest posts by Ben Canner (see all)
- Revisiting Whether SOAR Will Replace SIEM in Business Cybersecurity - May 29, 2020
- Changing SIEM From Reactive to Proactive with Threat Hunting - May 27, 2020
- Top-Down SIEM: An Interview with Avi Chesla of Empow - May 21, 2020