Introduction
Security operations present an escalating series of management challenges. As the frequency and variety of attacks accelerate, even the best teams can get overwhelmed with alerts.
The sheer volume of potential threats often presents teams with the false dilemma of trying to choose which alerts to deal with―often relying on the somewhat arbitrary threat classifications presented by a disparate set of siloed tools. This kind of alert triage creates the risk of missing serious threats. But many teams often feel that they have no choice.
Using criteria like an alert’s perceived importance or criticality as the decision point to take action is the antithesis of being proactive. There are generally several early lower criticality or priority indicators which suggest a serious attack is underway. Yet, to address every alert would require significantly scaling the incident response team. Even if budget is available, adequately trained staff may not be.
