In our first blog in the Splunk RBA series, we introduced Risk-Based Alerting (RBA) and covered the basic principles of RBA. In the rest of this series, we explain how you can plan and then implement RBA within your organization.
Are your security teams drowning in data and overwhelmed with alerts? Are you thinking that there must be a better way, some esoteric or forbidden knowledge, to produce higher-fidelity alerts and keep your team from burning out?
The good news is, YES! There is a better way and it's Splunk's Risk-Based Alerting (RBA). In the usual RBA implementation we see anywhere from a 50% to 90% reduction in alerting volume, while the remaining alerts are higher fidelity, provide more context for analysis, and are more indicative of actual security issues.
The shift to RBA provides teams with a unique opportunity to pivot cybersecurity resources while building out a flexible foundation for maturing your security operations across multiple departments. As alert fidelity and true positive rates increase, analysts are freed up to work on higher impact tasks, such as threat hunting, adversary simulation, or building up their skill sets and preparation to better face constantly evolving threats.
Three Ways To Use RBA
I generally talk about RBA in terms of security data relating to malicious compromise, but let’s look at three different use cases that showcase the value of RBA in other contexts. In each of these use cases, the security domain encompasses fewer sources, meaning you can build a fully operational detection and response framework in less time and see the power of RBA that much faster.
There are so many unique problems that machine learning can complement or even solve single-handedly, but the challenge is that setting it up in the first place can be painful. How do you get useful information from the pile of security logs and other data that your organization collects minute by minute? In short, by alchemizing the artistry of domain-specific knowledge with the science of making computer programs do interesting stuff with data. And that is where RBA can assist by generating datasets that emphasize context rather than noise.
Compared to the massive MITRE ATT&CK framework and the menagerie of methods attackers can use to compromise machines, the amount of data sources and use cases needed to build out a valuable insider risk detection program with RBA is significantly reduced. Insider risk has a thematically similar amount of noisy alerts and data to sort through as in the cybersecurity context, but this use case enables you to build out a successful RBA program in half the time.
Lastly, the Splunk App for Fraud Analytics leverages the RBA framework to alert on and investigate fraud. It helps address two pernicious fraud-related problems:
- Account Takeover (ATO) fraud
- Fraudulent activity seen from newly-registered accounts.
Researching events in its investigation dashboard can help you understand alerts and risk generation rules you can build as incidents and patterns are confirmed. After downloading this app, consult the User Guide to begin configuration for your environment. Implementing this app alongside an existing Splunk ES deployment takes some work, but it will save your team a ton of work after it is operational.
RBA Is Worth the Work
Don’t be scared of how complicated RBA might seem when you first hear about it! RBA is actually pretty exciting to use, especially once you start seeing your alert quality improve and alert quantity decline. Think of RBA as taking a lot of isolated security events and putting them together to tell better security stories, each one with the context you need to make better, faster decisions. To put it another way, RBA is the magnet that pulls the big, scary security needles out of the alerting haystack.
"RBA has changed how we fundamentally operate, raising visibility into the cumulative risk related to behaviors and allowing us to focus on the most impactful events." - Brandon Cass, Cyber Defense Operations Manager, Texas Instruments
How long does an RBA journey take? That’s a good question! There’s no one answer because every organization is different: unique infrastructure, variable resources, and ever-changing security issues. Some teams will want to do everything on their own; others may choose to engage Splunk Professional Services for guidance or to work alongside their internal security team.
Want To Know More?
The Essential Guide to Risk-Based Alerting is my new e-book designed to help you get started with RBA, from first steps to moving into production and beyond. I purposely designed it to be easy to follow, based on dozens of customer implementations and collected wisdom from wonderful folks throughout the RBA Community. Follow along with the guide, join us in the community Slack, and let us know how things are going!
For a one-two punch with art of the possible and the steps you'll take to get there, join me and Ted Skinner for our RBA webinars delivered live on April 18th and April 26th or catch the recording anytime!