5 min read

The Riddler is one of Batman’s enduring enemies who takes delight in incorporating riddles and puzzles into his criminal plots—often leaving them as clues for the authorities and Batman to solve.

Question: When is a door, not a door?
Answer: When it’s ajar.

So riddle me this, Batman: When is an alert not an alert?

Users of the EventTracker platform know that one of its primary functions is to apply built-in knowledge to reduce the flood of all security/log data to a much smaller stream of prioritized alerts. However, in most cases, without applying local context, this is still too noisy. Netsurion provides a risk score that is computed based on the asset value and the Common Vunlerability Scoring System rank of the source.

This allows us to separate “alerts” into different priority levels. The broad categories are:

  • Actionable Alerts: these require that you pay immediate attention because it’s likely to affect the network or critical data. An analogy is that you have had a successful break-in and the intruder is inside the premises.
  • Awareness Alerts: there may not be anything to do, but administrators should become aware and perhaps plan to shore up defenses. The analogy is that criminals have been lurking on your street and making observations about when you enter/exit the premises and when its unoccupied.
  • Compliance Alerts: these may affect your compliance posture and so necessitate either awareness or action on your part.

And so, there are alerts and then there are actionable and prioritized alerts. Over-reacting to awareness or compliance alerts will drain your energy and eventually sap your enthusiasm, not to mention cost you in real terms. Under-reacting to actionable alerts will also hurt you by inaction that could reduce attacker dwell time and minimize the damage of ransomware or a data breach.

Can your detection and response tool differentiate between actionable and awareness alerts?
Netsurion’s Managed Threat Protection solution can. Find out more.