One of the biggest challenges with alert-based IDS solutions is handling the sheer volume of alerts that can be generated on a daily basis. Teams need a way to navigate this data so they can quickly and effectively hone in on the critical details that indicate anomalous activity and tune alerts that are unique to their environment — thereby ensuring ongoing protection against threats and continuously enhancing their organization’s security posture.
At Threat Stack, we have always made sure that customers are seeing the most important security alerts so they can run efficient workflows. To strengthen that capability, we have just introduced Rapid Baselining — a new feature that groups alerts based on the associated rule. By leveraging the metadata within the alerts, we add deeper intelligence to the alert information.
How is this useful?
Alerts are now automatically grouped into logical subsets, enabling stronger workflows around a number of security practices, including the baselining of security activity across the infrastructure. Once a baseline has been established, users can quickly tune rules in larger groups, surfacing the most important alerts. By putting a baseline in place, it’s simpler to highlight unique or rare alerts — which are often indicators of malicious or unsafe activity — and suppress alerts that aren’t relevant to the environment.
It’s important to understand that, while baselining is important and automated functionality helps across the board, security workflows should still have a strong human component to provide valuable nuance. For most any security event, it’s important to have eyes on it to validate whether the user, action, location, or any other characteristic of the event may require a slightly different route to remediation in order to be most effective.
By leveraging the alert metadata and organizing it in a way that allows users to easily find unhealthy behavioral patterns across the infrastructure, teams can catch undesirable behavior early on. With a greater understanding of the details behind an alert and even more forensic capabilities available for investigation, it is possible to remediate the underlying causes quickly and bring about continuous improvement of the organization’s security posture.
Rapid Baselining creates a more granular picture of alert patterns in the form of a heatmap. Using that heatmap, users can identify the days and hours when a rule has most frequently been triggered and understand how to tune the alert around that particular rule. This is particularly useful for singling out anomalous behavior associated with that rule.
The heatmap below, for example, shows an analysis of login failures for a particular host. It’s clear that noon on Tuesdays is the time when the largest number of failures is occurring, so it would be worthwhile to dive into the contributing events in Threat Stack to understand why there is such a high volume at this time. If some sort of automated function is causing the issue and is known to be valid, then the user can suppress the alert. However, if this looks like a time when external attackers are trying to get in, then more in-depth analysis and action would be required.
At Threat Stack, we believe that security is an ongoing and iterative process, which is why we are dedicated to continuously surfacing insight provided by our platform to provide users with a wealth of actionable information. With our new Rapid Baselining feature, Threat Stack is giving teams a powerful tool for investigating alerts and finding patterns within their infrastructure. Regularly acting on these findings, and remediating unsafe behaviors is central to driving down risk while simultaneously strengthening an organization’s overall infrastructure.