And those are just three examples. I could probably bore you to tears with a lot more examples from other vendors, each having different risk score methodologies. Fortunately, most of the time, the risk score associated with security alerts aligns somehow with how likely the alerts is a true positive. While these risks scores are useful, they are not sufficient on their own. Here are some of the challenges:
1. Security risk score are not normalized
Imagine if your kids school decided that each class was going to be graded differently. Let’s say Math was on a scale from 1-100, English was scored with As, Bs, C’s, D’s and F’s with A being the best grade, the closest equivalent to an A in Science was an S grade, and language classes used roman numerals. Ok, anybody confused yet? Based on this, it’s no surprise that security analysts can easily get confused from time to time with the different risks scores they get from their many different vendors And even if they don’t get confused, there’s certainly an impact on the efficiency of the analyst that already has too many alerts to review every day.
2. Security Risk Scores are often too generic and therefore not very accurate
Unfortunately, the person that defined the risk scores that Analysts use, don’t know us or our environment. The risk scores are most often defined when analysts are creating the rules, and that may have been many years ago, at a time when the threat landscape was quite different Some may be based on historical data analyst have. Most are based on intuition from the rule writer. It’s probably not well defined based on your environment, nor is it updated as often as the underlying risk changes. Additionally,
- It has no idea on whether the impacted user is your CEO or not.
- It has no idea on whether this attack is related to your industry or not.
- It has no idea whether you have already identified it as false positive or true positive.
- It has no idea about whether this brute force attack is related to your phishing attack (both of which would be high false positive with low risk score).
All this renders generic risk scores much less accurate and therefore less useful.
3. Security alerts are not security incidents. Single security alert risk may be low, but could represent the occurrence of a low and slow attack.
Half of your security alerts may be false positives. Yet lots of real attacks come from low risk alerts.