Governance & Risk Management , IT Risk Management

Risk-Based Alerting Helps SOCs Focus on What Really Matters

Splunk's Jesse Trucks on Latest Tools for Reducing False Positives, Ticket Fatigue
Jesse Trucks, minister of magic, Splunk

Detection tools can potentially overwhelm security operation center analysts with alerts, many of which are false positives, leading to ticket fatigue and missed attacks. Jesse Trucks, minister of magic at Splunk, says the latest risk-based alerting technology is helping SOCs focus on the threats that really matter.

See Also: Live Virtual Summit | Measuring Your Data's Risk & The Cost of Unpreparedness

Most threat detection systems can potentially create hundreds of alerts per day, but analytics can only review a maximum of 25 tickets a day, says Trucks. Risk-based alerting helps workers make the most impact. "By creating risk rules, you can now expand the number of detections you have to very large volume but only still have a smaller volume of tickets than you used to have because it groups them together with the intelligence on and under the hood."

In this video interview with Information Security Media Group, Trucks discusses:

  • The common challenges with alerts that security operations teams and analysts face;
  • How risk-based alerting works to reduce false positives and create more high-fidelity tickets;
  • Specialized tools, services and training to help organizations quickly implement risk-based alerts and see results.

Trucks, who has worked for six years at Splunk, has over 20 years of experience in IT and security operations. In that time, he has worked for the U.S. Department of Energy Oak Ridge National Laboratory and D. E. Shaw Research, supporting HPC clusters and supercomputers. He also worked at multiple telecoms and managed service providers and has extensive experience in designing and implementing risk mitigation and security programs, compliance auditing processes and systems, and defensive security operations. He has developed multiple bespoke monitoring and automation systems and has implemented a multitude of commercial monitoring, SIEM and automation systems.

About the Author

Tony Morbin

Tony Morbin

Executive News Editor, EU

Morbin is a veteran cybersecurity and tech journalist, editor, publisher and presenter working exclusively in cybersecurity for the past decade – at ISMG, SC Magazine and IT Sec Guru. He previously covered computing, finance, risk, electronic payments, telecoms, broadband and computing, including at the Financial Times. Morbin spent seven years as an editor in the Middle East and worked on ventures covering Hong Kong and Ukraine.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.