Quantifying and scoring individual security alert are important for security teams to effectively prioritize security tasks. Common scoring mechanisms are the Common Vulnerability Scoring System (CVSS). It is an open framework for communicating the characteristics and severity of software vulnerabilities, owned and managed by FIRST.Org. NIST publishes the Base metrics in the National Vulnerability Database (NVD) with a score ranging from 0 to 10. However, each organization needs to modify the CVSS by their local Temporal and Environmental metrics.
CVSS is a good framework for scoring vulnerabilities, which is part of the security alerts that the SOC team has to process, however it is not suitable for generic security alerts. Security detection vendors like to categorize the severity of security alerts into low, medium, and high based on the credibility of the detections they created. However, most of them are not accurate to each one’s environment. Incorrect scoring for security alerts
especially valuable for security teams who have already been busy with other tasks.
With proper prioritization, the security team
After working with a few security teams for a while, we’ve summarized a few factors that you need to consider when prioritizing your security alerts:
To successfully implement the prioritization for your security alerts, we see there are two challenges
But if implemented, you will see the significant time saving on investigations, proper resource allocations, and faster remediation of important things. Those factors are the things you need to check anyways, why not automate? Automating it will set you up a baseline for accurate prioritization.
Fixed scoring requires continuous tuning which is time-consuming. The score will drift because it does not update automatically to reflect the changes in your environment. AI-based scoring, which learns from your feedback and learns to distinguish true important alerts from false positives, will continuously learn and update the scores based on the feedback, further saving your time on tuning.
What do you think?
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!