1. Help Security Analysts by Using a Narrative-Driven Model
To fine-tune the types of alerts you want to receive, it is important to shift from an alert-driven security model to a narrative-driven one. This requires work queues to receive higher-value data that has more context.
After all, “each alert in the work queue is a snapshot, a moment in time,” the FireEye report notes. “It’s only a part of the overall story of what occurred. It’s one piece of what could be a very large puzzle.”
To create threat narratives for higher education security analysts, consider these tips from FireEye:
- Collect the smallest amount of high-value data. The relevance of your data to security operations and incident response is key.
- Identify goals and priorities for detection. It is crucial to have a thorough understanding of which risks, goals and priorities are highest at your educational institution. (“Don’t get hacked” is far too broad of a goal.) Once you know your goals, you can prioritize the risks that jeopardize your most important assets — for example, COVID-19 research data.
- Craft human language logic. This type of logic is designed to extract only the events relevant to your selected goals and priorities.
- Convert the logic into targeted queries. Converting human language logic into precise queries can help colleges and universities get reliable, high-quality alerts with fewer false positives.
- Repeat and refine this process. As higher education institutions identify new goals and priorities, they should repeat the process and adjust according to feedback from the incident response process.
This way, analysts can receive alerts with more context to help them make informed decisions. It can help make each alert feel less overwhelming.
2. Avoid Overly Complicated Data by Knowing Your Sources
Not all data sources are created equal.
Universities and colleges must be able to pinpoint which data sources are most relevant and valuable for their priorities.
As you distinguish these sources, you may even find blind spots in automated communication processes from multiple data sources.
3. Weed out Noise by Creating Alerts for High-Priority Threats
After achieving an appropriate level of visibility, it’s time to take advantage of it. A next step may be to develop content that triggers alerts for all activities related to your university’s high-priority risks.
Update the default settings in your security solutions so that you are getting the more strategic,
higher-quality alerts you have created.
“Any activity that doesn’t fall into that realm should be ignored,” the FireEye report notes. “Why trigger alerts on activities you’ve already decided you aren’t concerned about? That would just create additional noise and complexity.”