Wednesday, May 7, 2014

Narrative-Driven Model

In a recent piece in SecurityWeek (, I explained why the current alert-driven security operations model does not scale to meet today’s or tomorrow’s challenges. While the full piece offers a detailed explanation, I thought it would be useful to summarize some key points in this blog posting.

In the current model, alerts are generated by various different technologies and then sent to the work queue. Analysis and forensics are then performed manually to build a more complete picture of what occurred -- the narrative -- around the alert. Alerts contain a snapshot of a moment in time, while narratives tell the story of what unfolded over a period of time -- the attack kill chain.

When attacked, an enterprise needs to move rapidly from detection to containment. In order to make this leap, the enterprise needs to understand what needs to be contained. In order to understand what needs to be contained, the enterprise needs to understand what occurred. In other words, the narrative needs to be built. This can be time consuming, and thus cannot be done for every alert. Because of this, analysts must make a snap decision when an alert fires with little contextual information available to help them. As a result of this, misjudgments are to be expected. The consequence of misjudgments is that sometimes true positives are missed or overlooked, as was the case with some of the intrusions recently publicized in the media.

The security community needs a paradigm shift from an alert-driven security operations model to a narrative-driven security operations model. In other words, analysts need to be presented with complete (or nearly complete) narratives in their work queue, rather than alerts. More context enables better decision making. Better decision making enables better security operations.

Have a look at the SecurityWeek piece and let me know what you think.

No comments:

Post a Comment