On any given day, analysts waste time evaluating 20 incidents generated from false positive alerts, according to the 2017 SANS SOC Survey. Without separating alerts from incidents, precious analyst resources end up being wasted on alerts that turn out to be false positives, caused by the misalignment of analyst skills and security processes.
In the same way that emergency rooms use medical triage to evaluate incoming patients, mature security teams use a distinct triage process to assess incoming cybersecurity alerts. This enables them to assess risk and separate serious security issues that require immediate attention from skilled staff, as opposed to more minor issues and “false alarms” that are less urgent. This triage process is designed to identify false positives and pinpoint true positives prior to escalation into a formal incident management process.
Unlike other security operations platforms, Syncurity provides separate queues for alert triage and incident response. Our IR-Flow security operations platform automatically examines and adds context to incoming security alerts in order to help security analysts assess and understand risk. The result is that alerts are rapidly evaluated using a repeatable and standardized process, and only those cases that warrant it are escalated to the limited staff of highly-trained incident responders.
Syncurity allows organizations to define unique workflows using a combination of security automation and human analysis based on the specific type of alert or incident, in order to optimize the use of highly-skilled analyst resources and create better security outcomes. This approach is far more effective than one that simply automates the process for every alert, regardless of that alert’s potential for infrastructure compromise, credential loss or security breach.