Devising a delegated alerts model for SecOps

SecOps teams are at the forefront of the action; they are the first ones detecting a breach and often the last ones to leave the office when all is said and done, and the breach is successfully contained.
However, that commitment and diligence can come at a price. SecOps teams are among the most burnout-prone teams in the entire realm of cybersecurity. We are forced to make a choice between verbose alerts that can overwhelm us but keep the company safe and more concise alerts that could lead to a breach due to a lack of proper visibility.
Adding to this predicament is the fact that many SecOps teams are understaffed, creating a recipe for burnout and potential breaches.
Yet, it’s during times of stress that the best ideas are forged, and the SecOps team at TrueLayer is constantly improving existing processes to strike a balance between our satisfaction/happiness and the company's security.
With that in mind, I want to introduce you to our delegated alerts model used by the SecOps team at TrueLayer to speed up responses to alerts, while minimising mental overload and the dreaded burnout.
Let's start with a classic scenario we’ve seen many times in our team.
An example of SecOps without a delegated alerts model
Meet Bob. Bob is a new hire who inadvertently skipped his security induction provided to all new employees. During the daily review of alerts, one of the analysts identifies a policy violation from Bob on our Security Information and Event Management (SIEM) system. The process for handling such events follows a standard procedure:
Look through the logs to detect any other unusual activity, as it could be an indication of a compromise.
If the alert is considered non-malicious or the analyst is unclear, they must reach out to Bob for clarification on the activity.
A standard set of questions is asked. Once the analyst is satisfied with the response, they add the necessary comments to the SIEM case and close the alert.
While this process may seem straightforward, it presents a few challenges:
What if Bob is on holiday after the fact? If that’s the case, the analyst must actively keep track of the activity.
The analyst follows the SecOps playbook to get more context. It’s important, but it can feel repetitive.
If the user is not responding immediately or is responding intermittently (a reality of remote work), the analyst must now keep track of an asynchronous conversation, while managing a busy workload.
Managing multiple tickets, tasks and conversations is demanding, contributing to the day-to-day stress of SecOps.
Types of alerts SecOps need to be on the lookout for
It sounds cliché, but security is everyone’s responsibility. At TrueLayer, we emphasise this through continual knowledge sharing and involving team members outside of SecOps in various critical processes. The Security team's role is not to block people but rather to empower them to act and behave in a manner that aligns with their interests and the company’s objectives.
And it’s important to note that certain alerts are not initiated by attackers but rather by employees who may have unintentionally failed to comply with internal rules. These individuals often prove to be the best resources to handle and provide context on the activity.
SecOps analysts tend to encounter one of three types of alerts:
Policy violations (eg a user running unauthorised software on their work device)
Potentially malicious activity (eg a login on AWS using root credentials)
Malicious activity (eg malware detected on endpoints by the Endpoint Detection and Response tool)
Some of these alerts require the SecOps team to reach out to the end-user to get more context. Of all the alert types, policy violations are the simplest to obtain a justification for, as the rules are quite simple and there is little space for ambiguity from the end-user’s perspective. This type is currently being 'delegated' to the end-user through automation, avoiding the need for manual outreach to the user.
The second type is slightly more complex, and we are still in the process of delegating it. The last type requires the eye of an analyst and therefore cannot be delegated.
Requirements for a delegable alert
Based on our experience, we believe that an alert can only be delegated if it meets the following criteria:
The rule behind the alert is simple: the alert was triggered based on a user’s action against a resource. As the number of actions and resources increases, the activity becomes increasingly complex to explain to the user in an automated way.
The alert can be directly pinpointed to the user: the alert is for an action performed by a user directly, rather than as an indirect consequence of one of their actions.
Obtaining context does not require analyst intervention: it should be possible to extract most, if not all, of context from the alert and/or one or more services (eg API, database) without the intervention of an analyst.
The alert can be explained to any reasonably tech-savvy user: the user should be able to understand their actions without an understanding of cybersecurity.
If an alert meets all of the above requirements, it is simple to implement a workflow where the user is notified and has enough context to explain their actions.
The following table shows two examples of alerts and how they meet the requirements for a delegable alert:
The alert... | ...is simple | ...can be pinpointed to the user | ...does not require analyst intervention | ...can be explained to a tech-savvy user | ...can be delegated |
---|---|---|---|---|---|
User accessed the company's IdP from an unauthorised device | ✅ | ✅ | ✅ | ✅ | ✅ |
An OSX login item was created (potential malware persistence) | ❌ | ❌ |