Deployment of Risk-Based Alerting in a Managed Security Services Provider context
Könönen, Samuli (2022-10-13)
Deployment of Risk-Based Alerting in a Managed Security Services Provider context
(13.10.2022)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
suljettu
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2022102863612
https://urn.fi/URN:NBN:fi-fe2022102863612
Tiivistelmä
In recent years, the number of cyber-attacks has greatly increased and the damage they can cause has grown correspondingly. Solely technological solutions have been found to be inadequate in defending organizations against cyber-attacks. The solution has been Security Operation Centers that provide around the clock defenses by leveraging the expertise of cyber security professionals and state-of-the-art security technologies. Due to the high level of security expertise required and the demands of operating day and night, Security Operation Centers are often outsourced to Managed Security Service Providers.
Modern Security Operation Centers face several challenges. The aim of this thesis is finding the most pressing challenges and provide a solution with emphasis on the Managed Security Service Provider context. This is done by investigating the previous research literature, analyzing previously proposed solutions, and presenting another potential solution.
I present a general model for a Security Operation Center consisting of the technologies, people, and processes. I analyze the challenges modern Security Operation Centers are facing with emphasis on Managed Security Service Providers. Many of the recognized challenges culminate in the most valuable resource of the modern Security Operation Center, the people, causing them to suffer from alert fatigue. Alert fatigue is a condition that occurs when a person is continually exposed to a high number of alerts. This can lead to decreased performance or even the person ignoring important alerts.
I identify previously proposed potential solutions to combat alert fatigue. One potential solution is the use of the Risk-Based Alerting (RBA) feature of Splunk Enterprise Security. I evaluate the proposed solutions and analyze their applicability in the Managed Security Service Provider context.
I conclude that Risk-Based Alerting has the best potential to help Security Operation Centers in combating alert fatigue and improving their effectiveness in detecting and responding to threats. I recommend strategies for RBA deployment that could be used to realize this potential. RBA deployment was recognized as a long-time project and the strategies work as a great starting point for deployment of RBA, but due to the nature of the tool it cannot be taken as a finished ‘set-and-forget’ solution.
Modern Security Operation Centers face several challenges. The aim of this thesis is finding the most pressing challenges and provide a solution with emphasis on the Managed Security Service Provider context. This is done by investigating the previous research literature, analyzing previously proposed solutions, and presenting another potential solution.
I present a general model for a Security Operation Center consisting of the technologies, people, and processes. I analyze the challenges modern Security Operation Centers are facing with emphasis on Managed Security Service Providers. Many of the recognized challenges culminate in the most valuable resource of the modern Security Operation Center, the people, causing them to suffer from alert fatigue. Alert fatigue is a condition that occurs when a person is continually exposed to a high number of alerts. This can lead to decreased performance or even the person ignoring important alerts.
I identify previously proposed potential solutions to combat alert fatigue. One potential solution is the use of the Risk-Based Alerting (RBA) feature of Splunk Enterprise Security. I evaluate the proposed solutions and analyze their applicability in the Managed Security Service Provider context.
I conclude that Risk-Based Alerting has the best potential to help Security Operation Centers in combating alert fatigue and improving their effectiveness in detecting and responding to threats. I recommend strategies for RBA deployment that could be used to realize this potential. RBA deployment was recognized as a long-time project and the strategies work as a great starting point for deployment of RBA, but due to the nature of the tool it cannot be taken as a finished ‘set-and-forget’ solution.