Skip to content

Taking Back Control of Your SOC with Risk Based Alerting

Posted by: Billy Huang

3 min read

Is your SOC inundated with alerts that end up as false positives? Are your analysts experiencing alert fatigue? These are challenges that every SOC faces with the increase in technologies generating logs.

Traditionally, alerts are created based on a narrow set of criteria, which often need tuning and produce a lot of noise. As new and sophisticated attacks emerge, we try and keep up by increasing our detection mechanisms, which generate more alerts and more noise, thus overburdening our SOC analysts. All that can change with Risk Based Alerting (RBA).

Risk Based Alerting is a concept that can be utilized in any Security Information and Event Management (SIEM), but we will discuss how it works in Splunk Enterprise Security (ES). Remember, alerts are written against either an individual user’s specific behavior or activity, or against a system (think assets and identities in Splunk ES). This is why you must ensure your assets and identities are correctly configured before creating any rules in RBA.  This includes assigning a proper level of “priority”; that is, how critical a user or system is in your ecosystem (more on this later).

At the root of RBA is the Risk Index, which serves as a repository where alert data is stored. When you setup a correlation search in ES (similar to an alert), each time an event is detected a notable event is generated. An analyst must then perform triage to determine if a ticket should be created, if the event can be ignored, or if it is a false positive. If you use RBA, that alert is instead sent to the Risk Index, which holds all your triggered alert data in one place. 

Next, the Risk Index events are enriched with additional data and a risk score. Risk is calculated using three variables: risk impact, risk confidence, and a risk modifier. When a Risk Rule is created, it is assigned an impact and confidence level that determines the severity of such an alert.  This severity is based on the negative impact the activity associated with the alert has on the environment and how confident you are that the alert will produce true positives. The risk modifier acts as a tuning knob to increase the score if it is a critical user or system, like a privileged account or domain controller.

Lastly, detections – or Risk Incident Rules (RIR) – are provided around our enriched Risk Index data based on thresholds or patterns that are determined to be suspicious. That can include a user whose risk score has exceeded a predetermined threshold or a host machine that has activities spanning multiple MITRE ATT&CK tactics. Not only does RBA provide an analyst with valuable information, but it also helps speed up the rate at which they triage events. Typically, an analyst needs to search numerous Splunk indexes or other user interfaces to investigate an alert. With RBA, all of the essential data is written to one risk index, allowing analysts to work quickly and efficiently.

Another notable aspect of RBA is the ability to detect “low and slow” attacks, or when an adversary tries to evade detection by taking weeks or even months to accomplish a task. Since all our valuable attribution data is in our Risk Index, we can efficiently look over longer periods of time that in the past would be almost impossible to scope and analyze.

An Example Timeline with Risk Scoring

Using Risk Based Alerting, each individual event may not be malicious by itself, but when combined together in a timeline for a specific user or system, an alert is raised for an analyst to triage.

Utilizing a Security Framework

RBA allows users to tie in their favorite security framework (MITRE ATT&CK, LM Cyber Kill Chain, CIS 20, etc…) with RBA. This can be used to create detections that track an adversary’s actions through different ATT&CK tactics or steps in the Cyber Kill Chain. When your detections are mapped in this way, you can also identify gaps in your security posture and create new detections to fill that void. 

If you’d like additional information on RBA or want to introduce RBA into your environment, learn more about our Security Analytics or Splunk services, or contact us.

Categories: Blog Cybersecurity Incident Response & Threat Intelligence Security Operations

Billy Huang

Senior Security Engineer,
GuidePoint Security

Billy Huang is a passionate cyber security professional who began his career in the United States Army first as an Air Defense Artillery officer, but later transitioning as a cyber officer where he worked as a CND Manager on a Cyber Protection Team. He left after nine years of service and continued pursuing a profession as a security engineer specializing in Splunk and Phantom working on government and commercial contracts. He holds multiple certifications from SANS (GCIA, GPEN, GCFA) as well as CISSP from ISC2 and CISM from ISACA.

Reducing the Cost and Complexities of Running a SOC
Running a fully operational Security Operations Center can be a daunting and complex task. The difficulty of staffing a SOC […]
Download

Related Articles

View All

Reducing the Cost and Complexities of Running a SOC
Read More < 1 min read
  • Security Awareness & Education
Considerations for a Balanced Critical Infrastructure Security Strategy
Posted by: Christopher Warner
Read More 3 min read
  • Governance, Risk & Compliance
CMMC Is Here – Are You Ready? (Better Late Than Never)
Posted by: Dan Mengel
Read More 4 min read