Risk-Based Alerting Helps SOCs Focus on What Really MattersSplunk's Jesse Trucks on Latest Tools for Reducing False Positives, Ticket Fatigue
Detection tools can potentially overwhelm security operation center analysts with alerts, many of which are false positives, leading to ticket fatigue and missed attacks. Jesse Trucks, minister of magic at Splunk, says the latest risk-based alerting technology is helping SOCs focus on the threats that really matter.
Most threat detection systems can potentially create hundreds of alerts per day, but analytics can only review a maximum of 25 tickets a day, says Trucks. Risk-based alerting helps workers make the most impact. "By creating risk rules, you can now expand the number of detections you have to very large volume but only still have a smaller volume of tickets than you used to have because it groups them together with the intelligence on and under the hood."
In this video interview with Information Security Media Group, Trucks discusses:
- The common challenges with alerts that security operations teams and analysts face;
- How risk-based alerting works to reduce false positives and create more high-fidelity tickets;
- Specialized tools, services and training to help organizations quickly implement risk-based alerts and see results.
Trucks, who has worked for six years at Splunk, has over 20 years of experience in IT and security operations. In that time, he has worked for the U.S. Department of Energy Oak Ridge National Laboratory and D. E. Shaw Research, supporting HPC clusters and supercomputers. He also worked at multiple telecoms and managed service providers and has extensive experience in designing and implementing risk mitigation and security programs, compliance auditing processes and systems, and defensive security operations. He has developed multiple bespoke monitoring and automation systems and has implemented a multitude of commercial monitoring, SIEM and automation systems.