How Intelligent Context Reduces the Challenge of Alert Triage (Part 2)

Posted: 21st June 2019

This is the second blog in a three-part series examining the impact of threat intelligence on security operations. In our first blog, we discussed how the overwhelming number of threat alerts that security operations teams receive can cause alert fatigue to set in, and how threat intelligence provides the antidote to mitigate the situation. This blog looks at the security incident triage challenges faced by security operations teams and how context streamlines the scoping of security incidents by enriching threat alerts with additional information, helping teams make decisions on how to mitigate incidents based on a measurement of risk.


Noun. To determine the relevance, legitimacy, and degree of urgency for the large number of incoming alerts that represent potential IT security threats; to decide the order in which threats should be mitigated and if any alerts should be escalated.

Based on this definition from the perspective of IT security, triage just might be the most critical step in the incident response lifecycle, setting the stage for all the steps that follow. Do triage right, and your security operations team will be on the correct path to mitigating security issues efficiently and protecting your digital assets.

But if triage goes awry, the team will find itself chasing false positives and spending too much time on low-level — perhaps even meaningless — security priorities. Your data, as well as the data of your clients and business partners, could then be left wide open to cyberattacks.

The Complexity of a Seemingly Simple Mission

The mission of a security operations team seems simple enough on the surface: monitor for threats, detect suspicious activity, contain active threats, and then remediate. But this process is often hampered by the huge chunk of time that security operation teams are forced to spend responding to all the alerts generated by SIEM (security information and event management) and EDR (endpoint detection and response) systems, as well as other sources of internal data:

  • Network traffic crossing boundaries
  • Network activity at boundaries
  • Internal workstations, servers and devices
  • Internal network activity
  • Network connections and devices
  • User and workstation session activity
  • Event alerts and system logs
  • Data backup status

When considering all of these sources — and oftentimes, much more — from which security operations teams collect information, security incident triage presents a major challenge. While the information is vital for identifying potentially malicious network activity or a breach, searching all of the data around each alert is excessively time-consuming. The data is also difficult to interpret in isolation.

And the ever-increasing volume and rate of incoming alerts makes it impossible to keep up. With all the connected devices that require constant monitoring, the average time to detect and respond to device alerts is 197 days, according to a study conducted by the Ponemon Institute.

The Value of Intelligent Context

Conducting efficient triage to quickly determine whether alerts are relevant and urgent requires the synchronization of related information from external threat intelligence sources with the data generated by internal systems. This accelerates the triage process — streamlining the scoping of incidents — and enables security operations teams to make risk-based decisions around how to mitigate threats.

With intelligent context applied to the threat data, security operations teams can respond efficiently to all the alerts generated by SIEM and EDR systems, as well as other internal systems. They can also answer the key questions that allow them to pinpoint and isolate potentially malicious network activity and data breaches:

  • What is the scope of the incident?
  • Who and what systems or processes are impacted?
  • What is the extent of the damage?
  • How severe of a risk does the threat represent?
  • Are critical systems targeted by the threat?
  • Will a compromise expose confidential data or sensitive controls?
  • Does the team have a playbook or procedure to mitigate the threat?

Perhaps most importantly, members of the security operations team will be able to answer the most critical triage questions, such as, “Do we need help? Does the incident need to be escalated to someone else on our team?”

Best Course of Action to Protect Digital Assets

The benefits of taking an intelligence-driven security approach to triage are evident. By integrating external threat data with data generated by internal systems, your security operations team can greatly enhance the triage process. They also gain context on alerts and intelligently prioritize risk, sort real alerts from false positives, and quickly determine the best course of action to protect your company’s digital assets.

For more information on how to leverage external threat intelligence to help your security operations team conduct security alert triage effectively, request a personalized demo of Recorded Future today.