RISK-BASED ALERTING IN SIEM ENTERPRISE SECURITY: ENHANCING ATTACK SCENARIO MONITORING THROUGH ADAPTIVE RISK SCORING
Keywords:
SIEM, Risk-Based Alerting (RBA), Risk Analysis Framework, Alert Prioritization, High/low-fidelity Alerts, Adaptive Risk Scoring, MITRE ATT&CK, Operational Efficiency, Threat DetectionAbstract
Traditional sequenced search-based alerting mechanisms in SIEM Enterprise Security are effective for detecting predefined attack scenarios but exhibit significant limitations in handling the complexity and variability of modern threats. These mechanisms rely on rigid sequences of conditions to trigger alerts, which often results in missed detections when attackers use alternative techniques to achieve their objectives. This creates critical gaps in security monitoring and leaves enterprise environments vulnerable to sophisticated attack strategies. To address these challenges, this paper introduces a Risk-Based Alerting (RBA) framework that leverages the advanced capabilities of SIEM’s Risk Analysis Framework. Unlike sequenced search-based systems, the RBA framework dynamically evaluates and scores events based on multiple factors, including the fidelity of the security event, the risk profile of the asset involved, and the criticality of the associated attack scenario. This approach ensures comprehensive coverage by capturing both high-fidelity and low-fidelity alerts. However, only high-priority alerts that exceed a predefined risk threshold are classified as "notable," significantly reducing the noise generated by low-impact alerts. The RBA framework employs adaptive risk scoring mechanisms that account for evolving attack patterns and operational contexts. By incorporating non-overlapping scheduling, throttling mechanisms, and real-time dashboard enhancements, the framework streamlines alert prioritization and improves the overall efficiency of security operations. Furthermore, the integration of industry-standard frameworks, such as MITRE ATT&CK, ensures a robust and comprehensive mapping of attack techniques, enabling precise detection and actionable insights.
References
K. Scarfone, M. Souppaya, and A. Cody, “Guide to Computer Security Log Management,” NIST Special Publication 800-92, 2006.
MITRE Corporation, “MITRE ATT&CK Framework,” 2015. [Online]. Available: https://attack.mitre.org.
V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection: A survey,” ACM Computing Surveys (CSUR), vol. 41, no. 3, pp. 1–58, 2009.
R. Bejtlich, The Practice of Network Security Monitoring: Understanding Incident Detection and Response. San Francisco, CA, USA: No Starch Press, 2013.
Splunk Inc., “Risk-Based Alerting Framework Documentation,” Splunk Official Guide, 2017.
Symantec Corporation, “Advanced Threat Protection: Concepts and Case Studies,” Symantec White Paper, 2019.
K. Stouffer, J. Falco, and K. Scarfone, “Guide to Industrial Control Systems (ICS) Security,” NIST Special Publication 800-82 Revision 2, 2015.
S. Rajasekharan and T. Thomas, “Next-Generation SIEM Systems: A Survey,” Journal of Cybersecurity, 2018.
Cisco Systems, “Best Practices for SIEM Implementations,” Cisco White Paper, 2018.
Red Canary, “The Atomic Red Team Framework: Threat Simulation Made Simple,” Red Canary Technical Guide, 2018.
