WEBVTT 1 00:00:00.120 --> 00:00:01.410 In this lesson, 2 00:00:01.410 --> 00:00:05.490 we will learn about alert prioritization factors. 3 00:00:05.490 --> 00:00:09.707 Alert prioritization factors enable determining the urgency 4 00:00:09.707 --> 00:00:13.680 of security alerts based on criteria 5 00:00:13.680 --> 00:00:17.730 to ensure the most critical threats are addressed first. 6 00:00:17.730 --> 00:00:22.730 Alert prioritization concepts include alert criticality, 7 00:00:23.010 --> 00:00:27.540 alert impact, asset type, residual risk, 8 00:00:27.540 --> 00:00:29.760 and data classification. 9 00:00:29.760 --> 00:00:31.359 Alert criticality refers 10 00:00:31.359 --> 00:00:33.877 to how essential the affected system 11 00:00:33.877 --> 00:00:37.860 or process is to the organization. 12 00:00:37.860 --> 00:00:41.640 Alert impact assesses the potential damage a threat 13 00:00:41.640 --> 00:00:44.700 could cause if not mitigated. 14 00:00:44.700 --> 00:00:47.929 Asset type considers whether the compromised asset 15 00:00:47.929 --> 00:00:49.950 is of high value, 16 00:00:49.950 --> 00:00:53.880 such as a production server or critical database. 17 00:00:53.880 --> 00:00:56.850 Residual risk is the remaining risk 18 00:00:56.850 --> 00:01:00.450 after mitigating controls have been applied, 19 00:01:00.450 --> 00:01:03.302 and finally, the data classification refers 20 00:01:03.302 --> 00:01:06.840 to the sensitivity of the data involved, 21 00:01:06.840 --> 00:01:09.720 with higher priority alerts being raised 22 00:01:09.720 --> 00:01:12.000 for systems handling confidential 23 00:01:12.000 --> 00:01:14.700 or highly classified information. 24 00:01:14.700 --> 00:01:19.260 Let's learn more about alert criticality, alert impact, 25 00:01:19.260 --> 00:01:24.150 asset type, residual risk, and data classification. 26 00:01:24.150 --> 00:01:27.630 First, we have alert criticality. 27 00:01:27.630 --> 00:01:31.920 Alert criticality refers to the severity level of an alert 28 00:01:31.920 --> 00:01:34.958 based on how urgent and impactful the threat is 29 00:01:34.958 --> 00:01:37.260 to an organization. 30 00:01:37.260 --> 00:01:41.160 Alerts are often categorized into varying levels, 31 00:01:41.160 --> 00:01:46.160 such as warning, low, medium, high, and critical, 32 00:01:47.250 --> 00:01:48.900 allowing security teams 33 00:01:48.900 --> 00:01:51.930 to prioritize their response accordingly. 34 00:01:51.930 --> 00:01:55.470 A low-level alert might signal minor issues, 35 00:01:55.470 --> 00:01:58.110 such as failed login attempts, 36 00:01:58.110 --> 00:02:01.837 while a critical alert could indicate a serious breach 37 00:02:01.837 --> 00:02:06.180 or major disruption, such as a ransomware attack 38 00:02:06.180 --> 00:02:08.760 encrypting a critical database. 39 00:02:08.760 --> 00:02:12.180 By assigning the correct criticality to alerts, 40 00:02:12.180 --> 00:02:16.110 security teams can focus on the most severe threats 41 00:02:16.110 --> 00:02:18.300 that require immediate action 42 00:02:18.300 --> 00:02:22.140 to prevent business interruptions or data loss. 43 00:02:22.140 --> 00:02:26.340 To assist, security information and event management, 44 00:02:26.340 --> 00:02:29.670 or SIEM tools, like Splunk or QRadar, 45 00:02:29.670 --> 00:02:33.750 can be configured to rank alerts based on criticality 46 00:02:33.750 --> 00:02:37.050 using predefined rules and thresholds. 47 00:02:37.050 --> 00:02:39.780 This ensures that high-severity issues 48 00:02:39.780 --> 00:02:41.670 are dealt with promptly, 49 00:02:41.670 --> 00:02:44.982 while lower-severity alerts are monitored or resolved 50 00:02:44.982 --> 00:02:49.590 as resources allow, optimizing the response process 51 00:02:49.590 --> 00:02:53.400 and minimizing the risk to essential operations. 52 00:02:53.400 --> 00:02:56.640 Second, we have alert impact. 53 00:02:56.640 --> 00:03:00.328 Alert impact assesses the potential damage a threat 54 00:03:00.328 --> 00:03:04.290 could cause if it's not addressed quickly. 55 00:03:04.290 --> 00:03:06.360 In an enterprise environment, 56 00:03:06.360 --> 00:03:10.110 different threats have varying levels of impact, 57 00:03:10.110 --> 00:03:12.235 ranging from minor inconveniences 58 00:03:12.235 --> 00:03:16.860 to severe data breaches or system outages. 59 00:03:16.860 --> 00:03:19.102 Alerts with a high impact indicate 60 00:03:19.102 --> 00:03:24.102 that a successful attack could compromise critical data, 61 00:03:24.270 --> 00:03:29.270 disrupt services, or result in significant financial loss. 62 00:03:29.400 --> 00:03:33.420 Therefore, determining the impact of each alert is key 63 00:03:33.420 --> 00:03:36.960 to ensuring that security teams address threats 64 00:03:36.960 --> 00:03:40.170 that could cause the most damage first, 65 00:03:40.170 --> 00:03:43.680 allowing them to mitigate the most severe risks 66 00:03:43.680 --> 00:03:45.570 before they escalate. 67 00:03:45.570 --> 00:03:47.622 For example, an alert involving 68 00:03:47.622 --> 00:03:52.350 an attempted data exfiltration from a customer database 69 00:03:52.350 --> 00:03:54.390 has a much higher impact 70 00:03:54.390 --> 00:03:56.642 than one involving a misconfiguration 71 00:03:56.642 --> 00:03:59.250 in a noncritical system. 72 00:03:59.250 --> 00:04:01.426 Tools like intrusion detection systems 73 00:04:01.426 --> 00:04:04.380 and data loss prevention solutions 74 00:04:04.380 --> 00:04:06.720 can assess the potential damage 75 00:04:06.720 --> 00:04:08.881 by monitoring the scope of the attack 76 00:04:08.881 --> 00:04:11.820 and its potential consequences. 77 00:04:11.820 --> 00:04:13.470 By using these tools, 78 00:04:13.470 --> 00:04:17.190 organizations can rank alerts based on impact, 79 00:04:17.190 --> 00:04:21.720 helping prioritize responses to the most serious threats 80 00:04:21.720 --> 00:04:26.250 that could harm the organization's data or operations first. 81 00:04:26.250 --> 00:04:29.130 Third, we have asset type. 82 00:04:29.130 --> 00:04:33.450 Asset type refers to the nature and value of the system, 83 00:04:33.450 --> 00:04:37.500 data, or process being affected by an alert. 84 00:04:37.500 --> 00:04:41.940 In an enterprise, not all assets are of equal importance. 85 00:04:41.940 --> 00:04:44.517 Some systems, such as production servers 86 00:04:44.517 --> 00:04:48.870 or databases containing sensitive customer information, 87 00:04:48.870 --> 00:04:51.300 are more valuable than others, 88 00:04:51.300 --> 00:04:54.630 so alerts involving high-value assets, 89 00:04:54.630 --> 00:04:58.560 such as critical databases or cloud infrastructure, 90 00:04:58.560 --> 00:05:00.060 should be prioritized 91 00:05:00.060 --> 00:05:03.660 over those affecting less important systems, 92 00:05:03.660 --> 00:05:06.691 and this ensures the most valuable and essential components 93 00:05:06.691 --> 00:05:09.112 of an organization are protected 94 00:05:09.112 --> 00:05:12.360 from potential threats first. 95 00:05:12.360 --> 00:05:14.820 In terms of alert prioritization, 96 00:05:14.820 --> 00:05:17.977 security teams need to identify which assets 97 00:05:17.977 --> 00:05:21.180 are most critical to their operations. 98 00:05:21.180 --> 00:05:24.094 For instance, if a key financial system 99 00:05:24.094 --> 00:05:27.690 or a customer-facing service is affected, 100 00:05:27.690 --> 00:05:31.650 the alert associated with it should be prioritized 101 00:05:31.650 --> 00:05:34.830 over a less critical internal system. 102 00:05:34.830 --> 00:05:38.217 To assist, tools such as security information 103 00:05:38.217 --> 00:05:41.250 and event management, or SIEM systems, 104 00:05:41.250 --> 00:05:44.050 like Splunk or QRadar, can be configured 105 00:05:44.050 --> 00:05:49.050 to assign higher priorities to alerts from critical assets, 106 00:05:49.050 --> 00:05:52.590 ensuring that these issues are addressed promptly. 107 00:05:52.590 --> 00:05:55.860 Fourth, we have residual risk. 108 00:05:55.860 --> 00:05:58.599 Residual risk is the remaining level of risk 109 00:05:58.599 --> 00:06:01.622 that persists even after security controls 110 00:06:01.622 --> 00:06:05.340 and mitigation efforts have been applied. 111 00:06:05.340 --> 00:06:07.590 Residual risk always exists 112 00:06:07.590 --> 00:06:11.430 because it's impossible to eliminate all risk, 113 00:06:11.430 --> 00:06:16.430 so security teams need to assess how much risk remains 114 00:06:16.470 --> 00:06:19.890 after defenses like firewalls, encryption, 115 00:06:19.890 --> 00:06:23.310 and intrusion prevention systems are in place 116 00:06:23.310 --> 00:06:26.880 and then target monitoring and alert response 117 00:06:26.880 --> 00:06:29.580 on areas with high residual risk, 118 00:06:29.580 --> 00:06:31.710 which can still be exploited, 119 00:06:31.710 --> 00:06:35.400 even after security controls are in place. 120 00:06:35.400 --> 00:06:40.260 Residual risk is especially relevant to alert prioritization 121 00:06:40.260 --> 00:06:42.720 because it helps determine which areas 122 00:06:42.720 --> 00:06:45.600 of the enterprise remain vulnerable. 123 00:06:45.600 --> 00:06:49.500 For example, an organization may have implemented 124 00:06:49.500 --> 00:06:54.500 multi-factor authentication to secure its user's accounts. 125 00:06:54.660 --> 00:06:57.930 However, if an alert indicates that an attacker 126 00:06:57.930 --> 00:07:01.020 has bypassed multi-factor authentication 127 00:07:01.020 --> 00:07:04.710 through a phishing attack, the residual risk is high, 128 00:07:04.710 --> 00:07:08.250 because a key security measure has been compromised. 129 00:07:08.250 --> 00:07:11.635 So security teams should use risk management tools 130 00:07:11.635 --> 00:07:15.657 and frameworks, such as NIST or ISO 27001, 131 00:07:18.090 --> 00:07:20.490 to assess residual risk levels 132 00:07:20.490 --> 00:07:24.420 and ensure that alerts involving high residual risk 133 00:07:24.420 --> 00:07:25.950 are handled quickly. 134 00:07:25.950 --> 00:07:29.880 Fifth and last, we have data classification. 135 00:07:29.880 --> 00:07:34.050 Data classification refers to categorizing data 136 00:07:34.050 --> 00:07:37.110 based on its sensitivity and importance, 137 00:07:37.110 --> 00:07:41.160 with more sensitive data requiring stronger protection. 138 00:07:41.160 --> 00:07:44.370 In the context of alert prioritization, 139 00:07:44.370 --> 00:07:48.810 alerts involving classified or highly confidential data, 140 00:07:48.810 --> 00:07:52.830 such as a personal health information, or PHI, 141 00:07:52.830 --> 00:07:57.210 or financial records, are given a higher priority. 142 00:07:57.210 --> 00:08:00.750 Also, systems handling this type of data need 143 00:08:00.750 --> 00:08:02.790 to be secured more rigorously 144 00:08:02.790 --> 00:08:06.390 because a breach could result in significant legal, 145 00:08:06.390 --> 00:08:10.830 financial, or reputational damage to the organization. 146 00:08:10.830 --> 00:08:14.610 To assist in this effort, data classification tools 147 00:08:14.610 --> 00:08:19.380 can help organizations label and manage data sensitivity, 148 00:08:19.380 --> 00:08:23.520 and SIEM systems can then use these classifications 149 00:08:23.520 --> 00:08:26.190 to adjust alert priorities. 150 00:08:26.190 --> 00:08:29.190 SIEM systems do this by correlating alerts 151 00:08:29.190 --> 00:08:32.610 with sensitive data or critical systems 152 00:08:32.610 --> 00:08:34.603 and raising the priority of incidents 153 00:08:34.603 --> 00:08:38.760 involving classified and sensitive information, 154 00:08:38.760 --> 00:08:43.320 ensuring faster responses to the most impactful threats. 155 00:08:43.320 --> 00:08:47.700 This ensures that alerts related to highly sensitive data 156 00:08:47.700 --> 00:08:50.280 receive more immediate attention 157 00:08:50.280 --> 00:08:53.190 and are handled with appropriate urgency. 158 00:08:53.190 --> 00:08:58.110 So remember, alert prioritization factors 159 00:08:58.110 --> 00:09:02.280 help security teams determine the urgency of alerts 160 00:09:02.280 --> 00:09:04.920 based on specific criteria, 161 00:09:04.920 --> 00:09:09.360 ensuring that the most critical threats are addressed first. 162 00:09:09.360 --> 00:09:13.830 Key prioritization factors include alert criticality, 163 00:09:13.830 --> 00:09:18.210 alert impact, asset type, residual risk, 164 00:09:18.210 --> 00:09:20.490 and data classification. 165 00:09:20.490 --> 00:09:24.720 Alert criticality refers to the severity of an alert, 166 00:09:24.720 --> 00:09:28.890 with higher levels indicating more immediate threats. 167 00:09:28.890 --> 00:09:33.090 Alert impact evaluates the potential damage a threat 168 00:09:33.090 --> 00:09:36.090 could cause if not mitigated. 169 00:09:36.090 --> 00:09:39.570 Asset type considers the value and importance 170 00:09:39.570 --> 00:09:41.490 of the affected system, 171 00:09:41.490 --> 00:09:46.110 prioritizing alerts related to high-value assets. 172 00:09:46.110 --> 00:09:50.640 Next, residual risk accounts for the remaining threat 173 00:09:50.640 --> 00:09:53.640 after security controls are applied, 174 00:09:53.640 --> 00:09:57.810 focusing on areas where vulnerabilities persist, 175 00:09:57.810 --> 00:10:01.230 and finally, data classification ensures 176 00:10:01.230 --> 00:10:04.860 that alerts involving sensitive or classified data 177 00:10:04.860 --> 00:10:08.670 are prioritized, as breaches in these areas 178 00:10:08.670 --> 00:10:11.553 can have significant consequences.