Planning for Success with Risk-Based Alerting

In our last RBA blog post, we talked about some of the problems RBA can help solve. In this post, we explain the methodology we use with Splunk customers as their security teams start working with RBA.

In working with our customers, the Splunk Superstar RBA Braintrust has developed a powerful methodology to kickstart your RBA implementation. From first moves to production, these four levels take you step-by-step through the process of successfully getting RBA up and running.

Level 1 is all about getting familiar with how RBA works in your environment. This level uses the defaults in Splunk ES to start with and then you can monitor and tune those rules to produce higher-fidelity alerts.

Level 2 is the classic development phase of any software-based project. You’ll take what you learned in Level 1 to monitor and modify your existing rules to produce higher-fidelity Risk Notables.

Level 3 prepares your RBA implementation for production by setting up useful dashboards and modifying your existing case management processes to be more effective with RBA. In short, this level is all about getting RBA polished for real-world use.

Level 4 is the top of the mountain: time to Go-Live. Your team puts RBA into production and carefully monitors activity and results, fine-tuning rules and processes as needed.

Lest you think this sounds either too easy or too complicated, let me reassure you that it's not. I'll be diving into a more detailed explanation of the RBA journey in my next blog post. For now, though, let's look at some success factors for starting an RBA implementation.

Treating RBA as a Project

As with any new process, RBA needs to be designed and implemented as a project within your organization. At a minimum, the RBA project should include buy-in from stakeholders, a set of clear goals and a detailed plan to implement RBA.

As an engineer, I often just want to build the thing and assume everyone will see the value immediately, but I highly recommend you develop buy-in at multiple levels before you begin your RBA implementation. It may take some effort to convince leadership that the time invested into building RBA enables them to meet or surpass many of their cherished security or resilience goals, but having them on-board will make all the difference.

My initial blog post covers this from a few different angles for various personas. In addition, here are two presentations from Splunk customers explaining the value that RBA has added to their organizations:

• SEC1249A - Accenture's Journey to Risk Based Alerting with Splunk Enterprise Security and Beyond: Chip Stearns from Splunk and Marcus Boyd from Accenture discuss how RBA transformed their SOC and the things to keep in mind while building it.
• SEC1803 - Modernize and Mature Your SOC with Risk-Based Alerting: Jim Apger from Splunk reviews RBA structure and benefits, then Jimi Mills from Texas Instruments offers a *detailed* timeline of TI’s RBA evolution.

When you discuss RBA within your organization, there are some key points to remember.

• Leadership needs to understand the value-add of RBA so they will commit time and resources for development.
• Your Engineering team will require time to build out the RBA structure as well as become familiar with the RBA methodology in production.
• Analysts need to be involved as early as possible so that they can become familiar with RBA investigations and work with your RBA team to develop responses and rules.
• Red/blue and/or purple teams can be valuable testers and partners throughout the RBA project.

Goals and Plans

You can use RBA to improve different aspects of your SOC operations and security posture. We recommend that you select one or two goals and focus on those, along with devising metrics or means to measure success. Here's two I particularly like to use:

• Increasing the quality of alerts so that analysts are more efficient when investigating security incidents. This may also feed into reducing response times because higher-risk events are prioritized.
• Using cybersecurity frameworks like MITRE ATT&CK, CIS20, or the Lockheed Martin Cyber Kill Chain to improve the coverage and quality of alerts.

After you kick off the project plan, make sure you track progress, give regular status updates to stakeholders, and work through any roadblocks you may hit. While RBA can seem complicated at first, using the methodology in this guide will help you develop and execute a solid implementation plan.

Setting Expectations

Implementing a solid RBA strategy isn't a flick-the-switch solution, but it is foundational to improving your security maturity. While you can probably figure out how to do some kind of risk-based alerting with any security product out there, my goal is to share the proven RBA methodology that the Splunk team has developed while working with our customers to get you started on your own RBA journey.

Committing to RBA means investing in your people so they can transform your approach to cybersecurity. A successful implementation will change how your security team operates, empowering them to work on what matters most and develop creative projects that leverage and synergize with RBA while relieving stress, workloads, and burnout. Typically, RBA users see anywhere from 50% to 90% reduction in alerts, with the remaining alerts being higher fidelity. That’s definitely worth the work to implement RBA in your organization!

How long will this RBA journey take? That’s a good question! There’s no one answer because every organization is different: different infrastructure, different resources, and different security issues. Some teams will want to do everything on their own; others may choose to engage Splunk Professional Services or a Splunk Partner for guidance or to work alongside their internal security team.

Want to Know More?

Trust me, your RBA journey will be worth the work. The Essential Guide to Risk-Based Alerting is my new e-book designed to help you get started with RBA, from first steps to moving into production and beyond. I purposely designed it to be easy to follow, based on dozens of customer implementations and collected wisdom.

For a one-two punch with art of the possible and the steps you'll take to get there, watch Ted Skinner's and my RBA webinars.