Alerts

Review notifications

Most SIEM solutions provide the ability to perform a specific action based on receiving an alert from a security device. Examples of these actions can include sending an email or adding an item to a dashboard. The response actions taken by an SIEM need to get security analysts’ attention so that they’re responded to quickly. If the SIEM sends notifications, the organization’s existing messaging solution should be leveraged. This could be the organization’s email infrastructure or a simple messaging service (SMS). The information contained in these notifications should be reviewed to ensure that sensitive information isn’t inappropriately disclosed. This review should include asking questions such as:

• What if the contents of the message ended up in the wrong person’s inbox?

• What could be done with that information?

• Who else could benefit from receiving this notification?

Problems with handling notifications

Using a system that can automatically create notifications runs the risk of sending too many notifications and overwhelming recipients. An SIEM can create a security event based on the alerts it receives. However, the event needs to be actionable. If an event gets the attention of an analyst, it had better be worth the time of that valuable security resource. If there are too many events to be handled appropriately, security personnel may become desensitized and start tuning them out.

Note: Event apathy appears to have contributed to the expensive and widely-publicized incident suffered by the Target Corporation in 2013, where alerts generated by a malware prevention appliance were not seen (and therefore not responded to) by security personnel until it was too late.