Alert Prioritization – Correlations Create Context, Context Creates Clarity

How many times have you seen the following scenarios play out? A big news event occurs, and TV networks rush to get the story out before everybody else. Unfortunately, the early conclusions made about the event turn out to be completely wrong once additional facts come out. In another example, a video snippet showing someone reciting a controversial line goes viral on the Internet. Later, we find out that the person was recorded out of context, thus changing the connotation of what they really meant.

Context Matters

Context matters, as does having all the relevant information at hand before a reputable decision can be made. While it is easy to point out examples involving broadcasting and social media, this type of narrative occurs in many facets of modern life, including cybersecurity. Traditional security monitoring tools are designed to send prescribed metrics and alerts to security and IT personnel. There are several limitations to this approach, however.

  • Just like a human scout, each monitoring tool is looking at events through its unique lens.
  • The personnel sitting at their monitoring dashboards must often interpret what these metrics and alerts are indicating.
  • IT teams are bombarded with monitoring alerts and messaging, with many of them being false positives.

In a perfect world, we could wait to respond to a possible attack until we had all the information. Unfortunately, the hackers do not wait for us to play our hand. They are playing to win and even legitimate platforms now serve as their playground. No network is safe.

Thanks to advances in AL and ML however, both speed and context are possible concerning highly complex environments. One example is Waze, a GPS navigation software app that continually draws data from multiple data sources including crowdsourced data from its users, government traffic agencies, and historical data. It then uses advanced algorithms to report traffic conditions of your upcoming trip with relative ease and accuracy.

More Tools are not the Answer

According to a 2019 Forrester Study, when Covid19 set the world on a cyberwarfare frenzy, companies have been on a buying frenzy to expand their portfolio of security tools in recent years. In the study, the average respondent managed an average of 25 different security products/services from 13 vendors. The premise behind this movement is understandable. The more tools, the more coverage, and 2019 was a time that every business felt it needed more coverage. The more facts you have, the more accurate your conclusions. The problem is that more tools introduce more complexity. The 2020 CISO Benchmark Survey showed that organizations became more susceptible to security-related downtime as their number of utilized security vendors increased. It is growing clear that a widely dispersed, diverse security toolset introduces real challenges for businesses today.

Getting the Full (Attack) Story

The problem with traditional network and security monitoring is that a security alert is an individual point-in-time indicator of malicious activity. Security teams need the full narrative because every cyberattack has a story. The typical storyline consists of a series of basic sequential steps.

  1. An initial breach that is the result of a phishing email or an unpatched vulnerability
  2. A foothold or beachhead is established from which the attackers will establish their base
  3. The attackers then move laterally across the network seeking privilege escalation and high-value data they can steal or leverage
  4. The actual attack takes place whether it be a traditional data breach or ransomware attack

A military general demands information from across the entire battlefield to piece out the full story of what the enemy is doing in real-time. For instance, a single flanking maneuver taken by the enemy might be a deceptive tactic designed to distract the enemy while the real attack ensues. While events by themselves do have value, they fail to provide the full visibility you need across your network.

The Purpose of Event Correlation

In many cases, single events by themselves fail to tell a story until they are correlated with other events. Event correlation is the process of grouping and analyzing seemingly unrelated events to identify patterns and discover potential security incidents. It involves both the automated and semi-automated linking of multiple related security events to tell a story of meaningful sequences or patterns. For instance, multiple failed login attempts could be a user forgetting their password. This is a type of false positive that is easily ignored. One also ignores a successful login of the same user, but when a successful login immediately follows fifty sequential failed attempts, a potential story starts to emerge. In another example, event types A, B, and C may not justify prioritization by themselves individually, but when correlated collectively, represent a potentially disruptive level event.

A SIEM + SOAR Combination

Many organizations have implemented SIEMs to aid them in collecting and aggregating data across disparate systems across their multiple site networks into a centralized platform. The SIEM then analyzes the aggregated data to identify suspicious trends or patterns. While a SIEM is certainly an upgrade over a human team of analysts that must interpret and assess the data properly, it still falls short in terms of reacting and remediating the disclosed threats. A fairly new methodology called security orchestration, automation, and response (SOAR) is taking the baton from SIEM and taking security to the next level. While a SIEM does a great job of keeping security teams informed, a SOAR solution works to correlate events and respond to as well as remediate those threats in an automated fashion. The idea is to let the SOAR handle basic security incidents and let security professionals focus on more complicated threats. SOAR is a proactive member of your security team that adds speed, efficiency, and greater accuracy to your security efforts.

SOAR + SOC Combination

Unfortunately, not every organization can afford a SOAR on their own. That is one of the reasons why many organizations are increasingly turning to a security operations center (SOC) to embolden their security posture. SOAR tools can enhance the efficiency and effectiveness of the SOC’s team of highly experienced cybersecurity professionals. SOCs manage to return so much value that many insurance companies are requiring them in their cyber insurance policyholders.


Security teams are drowning in information and security alerts. While it is humanly possible to correlate this mammoth amount of data, it isn’t feasible. Security teams must have the ability to connect the complex array of dots as quickly as possible before the bad guys have a chance to achieve their malevolent objectives. Only automation can get go down the rabbit hole fast enough to find the correlating events that identify the story taking place in your network. It’s not about having all the tools. It is about having the right tools, and with them, you can ensure that the story concludes with a happy ending.

Sign Up for Updates