Gartner Blog Network


Alert-driven vs Exploration-driven Security Analysis

by Anton Chuvakin  |  May 20, 2013  |  7 Comments

Is alert-driven security workflow “dead”?! It is most certainly not.

However, it is being challenged at some enlightened organizations that deploy SIEM, network forensics or other analytics technologies (notice how elegantly I am avoiding the marketer-corrupted term “big dataSmile).

A fellow SIEM literati once called it using “tech support workflow” for security incident response – and, let me tell you, he didn’t like it much. Many users of network forensics tools (NFT) have discovered that their tools are not alert-centric at all  (such as discussed here), but require active data exploration. One NFT team manager even went as far as to say “we don’t hire alert responders here.” He meant to say that in his team he doesn’t want people to wait for alerts, but to go and explore, “hunt” for insights rather than “gather” alerts. Starting from a hypothesis, a “thread to pull”, a question rather than an alert is characteristic of this newer way of approaching security.

Here is how I am thinking about:

Alert-driven Exploration-driven
Incident DETECTION Incident DISCOVERY
Alert comes in –> you respond You go out –> you find actionable info  -> you act
Like tech support Like QA (thanks for this idea!)
Response “Hunting”
Alert-centric Question-centric
Context to decide on the alert Context to explore wider/deeper
Drill-down Drill-sideways
Triage THIS entity Explore in THIS direction
Want to be “done” with the alert Want to know what is really going on, not be “done”
Operations – alert volume Research – insight usefulness

In any case, hopefully it is insightful and  useful for your security analytics / SIEM / SOC thinking and planning.

And, hey, vendors – don’t assume that security monitoring is ALL about alert-driven workflows… The smartest of your tool users already don’t.

Posted related to my network forensics research:

Category: analytics  monitoring  network-forensics  security  siem  

Tags: analytics  network-forensics  security  security-monitoring  

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Alert-driven vs Exploration-driven Security Analysis


  1. […] out the attacks from the data. See how Anton Chuvakin of Gartner thinks about Big Data security in his post about security exploration versus responding to […]

  2. (Full-disclosure: I work for Spectorsoft, a creator of User Activity Monitoring software)

    With the right systems and data in place, these two concepts can and should merge. The alerts should point to exactly where and when the exploration should take place. The caveat to make this a reality is the need to both monitor (for the Alerting) and record (for the Exploration) the same given set of data.

    For example, in the case of our UAM solutions, we’re doing both around user activity (think: every action performed on a computer). We can alert based on keyword (found in email, typed, webpages, etc) to identify a specific activity in question, which allows the exploration of the recorded data to review what actions were taken before, during and after the activity in question to provide contextual and detailed analysis.

    So a real-world use case would be taking the 3K keywords E&Y and the FBI developed to identify possible fraud and not only alert that a given keyword was triggered, but also have the ability to explore that specific point in time and replay an employee’s actions to see what was done.

  3. Thanks for the comment. Indeed, it is useful to practice both approaches. Almost no security approach is black/white only, after all.

  4. […] out the attacks from the data. See how Anton Chuvakin of Gartner thinks about Big Data security in his post about security exploration versus responding to […]

  5. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Alert-driven vs Exploration-driven Security Analysis […]

  6. Matthew Gardiner, RSA Security says:

    Very well said. Key from my point of view is blending alert-driven and exploration-driven monitoring and continually pivoting back and forth between the two. Furthermore by inserting and fusing machine readable threat intelligence and context into the mix, both the alert-driven and exploration-driven monitoring approaches become more effective and less dependent on having security geniuses on staff!

  7. Matt, thanks for the comment. Indeed, combining them makes sense, but to combine them you need to know they BOTH exist. And people many don’t :-)



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.