Exabeam, the security analytics, and automation company announces Exabeam Alert Triage, a new cloud-native application that will help security analysts confidently wrangle the overwhelming number of alerts coming at them each day from a myriad of other third-party vendor tools.
Included as a new integrated application for all cloud customers using Exabeam advanced analytics and Exabeam case manager, Alert Triage enriches alerts with context and presents them in a single screen so analysts can make faster decisions about which alerts to escalate or dismiss. It also ensures analysts don’t miss the critical alerts that require escalation to prevent breaches.
Receiving security alerts
“Analysts receive thousands of security alerts a day spread across disparate tools. Unable to keep up with the volume, they must ignore a significant number of them, which leaves their organisations vulnerable to threats,” said Adam Geller, chief product officer at Exabeam. “We developed the Alert Triage application to provide automation throughout the triage workflow so security analysts can be freed up to focus on what matters most -- fortifying their organisation's cybersecurity defences to prevent breaches.”
Analysts receive thousands of security alerts a day spread across disparate tools"
“We’ve had great success running Alert Triage in its beta version. At first, watching so many alerts get centralised into a single screen was somewhat unbelievable, but Exabeam has done it,” said Zane Gittins, IT security specialist at Meissner. “It’s been refreshing to not have to go from app to app to look at different alerts and it absolutely reduces the time it takes to triage them.”
Traditional triage workflows
Security personnel say they are only able to investigate 45% of the daily alerts they receive, according to research from the Ponemon Institute. The report surveyed 596 IT and security practitioners and also found that 33% of alerts in traditional SIEMs are false positives.
The traditional triage process requires analysts to first determine what the alert is for (users or entities), gather the right contextual information (positions, locations, sources, etc.), and then sift through logs to determine the priority of the alert. Next, an analyst must decide whether or not to escalate it for further review. Blending traditional triage workflows with context generated from machine learning-based analytics, Alert Triage does this time-consuming and tedious work automatically. It categorises, aggregates, and enriches alerts with contextual data including host, IP, severity of alerts, related behavioural anomalies, and overall risk scores of associated users and entities.
Incident response team
The ability to categorise alerts allows managers to create and assign channels to team members
From the security alert, analysts can easily navigate to an associated user or entity timeline to understand what happened before and after the alert was triggered.
Armed with context to understand the scope of the security alert, analysts can rapidly and confidently dismiss or escalate the alert to the incident response team.
Alert Triage benefits include:
- Visibility - Centralising the alert triage process and organising an analyst's triage efforts enables analysts to review alerts faster. Visibility into all of the alerts that security tools have triggered in an organisation minimises the likelihood that an alert is missed or overlooked.
- Focus - The ability to categorise alerts allows managers to create and assign channels to team members. A channel helps focus an analyst’s attention on a specific type of alert and allows them to develop subject matter expertise.
- Productivity - An analyst can triage alerts in aggregate batches, which boosts their productivity. Greater productivity means analysts are able to review a higher percentage of incoming alerts and reduce the possibility that an alert will go unreviewed and lead to a breach.
Latest security incidents
"When we look at the latest security incidents such as the SolarWinds or Microsoft Exchange attacks, more likely than not, the impacted organisations had at least one security alert generated about the threats from one of their third-party security vendor tools,” said Gorka Sadowski, chief strategy officer at Exabeam.
“Unfortunately, that alert was likely drowned in all of the other false positive alerts and had to be discarded. Exabeam helps our customers spend time on the alerts that really matter."