Continuing from our previous posts – after good and useful data is captured, we can then shift our focus to having a good security investigations workflow.
A good SOC captures, verify, and notify on all alerts. But a better SOC will capture, verify, filter, and notify customer only on alerts that requires response. By notifying on all alerts, customer will be flooded with emails where it will eventually be ignored. Hence, defeating the purpose of proactive monitoring.
In Simply Data, we have a 4-layer funnel filtering process where it involves L1, L2, and L3 security analysts. Each funnel is designed to filter out false positives and alerts that requires no responses (noises). From experience, with this process, about 70-80% of alerts triggered from SIEM correlation rule can be filtered out.
Not forgeting, all of these filtering also has a feedback loop for our L3 security analyst to fine-tune SIEM correlation rules and reduce these noises.
For actual incidents, proactive threat hunting will be carried out by L3 security analysts. Best practice is to have a dedicated threat hunting analyst and that is the target once our team is expanded. Threat hunting uncovers the scope and attack vector. While this can be done manually if the analyst has deep operating system expertise but having a good EDR or XDR product reduces investigation time significantly.
View our 5-minutes demo session here: