Listen to case study:
A Large Quantity of Threat Alerts Reducing SecOps Efficiency
One of many security tools integrated into ECS’ managed security service platform, Elastic Security (formerly Elastic SIEM) was generating a large quantity of threat alerts, which was impacting the efficiency of cybersecurity operations.
Across a sample of seven ECS customers, Elastic was generating about 287,000 alerts per month ― many of them duplicate alerts, or “noise.” In this sea of alerts, customers were struggling to identify and investigate those that represented real, active threats.
The large quantity of alerts was also threatening to compromise the performance of our security orchestration, automation, and response (SOAR) solution for these same customers. Ingesting so many alerts into our SOAR solution without degrading system performance was a challenge.
“The huge number of alerts made it hard for customers to identify and investigate alerts that represented real, active threat events.”
Lead Cyber Threat Analyst, ECS
Advanced Tuning of Detection Rules
The ECS Cyber Threat Analysis Center assembled a tiger team of six analysts highly experienced with Elastic Security (Elastic SIEM). With oversight from the ECS security operations center’s engineering director, the team identified at least 10 “noisy” threat detection rules for each of the seven customers in the sample.
Basic rule tuning would have had the team simply adding one-off exceptions in response to spikes in alerts. The team needed advanced tuning to reach its goal: to reduce the volume of alerts generated by noisy rules while either maintaining or improving rule integrity and effectiveness.
Analysts used the process shown below to review and tune threat detection rules in Elastic over the course of three weeks. Throughout the process, they communicated with customers to ensure the team was not inadvertently tuning out activity the customers wanted to be alerted to.
The Process: Rule Reviewing and Tuning in Elastic Security
Review the rule logic to understand how the rule works and what it is looking for.
Review the related detection logs and trends that correlate with high alert generation.
Tune the rule in one or more of the following ways:
- Add an exception to the rule.
- Adjust the rule logic or query filters.
- Change the rule logic type (e.g., custom query, threshold, EQL).
SecOps Efficiency Gains and Better Security for Customers
Our three weeks of rule tuning dramatically reduced the number of alerts triggered in Elastic. The same sample of ECS customers for which Elastic had been generating about 287,000 alerts/month had approximately 21,000 alerts/month generated after tuning. In other words, our work yielded a threat alert reduction of 93%.
With this considerably reduced number of threat alerts being triggered in Elastic, our customers were able to identify and focus on alerts that represented actual threats. Their teams were able to operate more efficiently and productively.
As our SOAR solution was able to ingest the smaller, post-tuning quantity of alerts, we were also able to integrate our full SOAR capabilities into the security service we provide for these customers. SOAR metrics are now giving them better visibility of their threat landscape.
With cybersecurity operations running more efficiently and effectively, and with SOAR capabilities now harnessed, we’re delivering a better managed security service to protect our customers’ data, assets, people, and reputations.
Weekly Audits Keep Cyber Threat Detection Rules in Tune
A long-term benefit of our rule-tuning work is that we’ve established new practices for security information and event management (SIEM) analytics, so that we can perpetually maintain high-performing detection rules and manageable alert volumes.
We now audit alert metrics and trends weekly and tune rules as the need arises. We’ve documented our three-step tuning process and established new standards and practices around threat detection rules. Across the team, this has yielded more sharing of knowledge, continuous problem solving, and the continuous improvement of our cybersecurity operations.
“The efficiency gains generated by this project were so great that we’ve been able to shift our focus and devote more resources to more advanced work in SecOps.”
Cyber Threat Analysis Center Director, ECS
This technical case study is based on an ElasticON Global 2023 talk presented by ECS Cyber Threat Analysis Center Director Dave Howard and ECS Lead Cyber Threat Analyst Luke Gigiano in March of 2023.