A defensible cyber security posture for a party may mean that the party has deployed systems designed to detect and respond to threats. There are numerous types of systems including those within categories such as firewalls, intrusion detection systems, antivirus systems, malware protection systems, and threat reputation systems. When these systems detect a potential security issue, an alert or alarm is generated to call attention from an operator.
A large number of alerts are typically generated because very large numbers of generic and targeted attacks affect enterprises. Oftentimes so many alerts are generated that operators cannot keep up with the number of alerts. For well-tuned, high investment environments, an enterprise may see an average of 500 alerts per week. Other enterprises may see around 5000 alerts per week across all security systems of those enterprises.
An average alert response typically requires a minimum of 1 hour with some requiring much more time depending on complexity. An average full time security analyst may process 15-20 alerts per week. The gap between how many alerts security systems generate and how many a customer can process is large, and growing. Those unprocessed alerts represent heightened risk to the enterprises.
Additionally, multiple different security analysts may investigate the same alerts or different alerts that converge on the same root problem without any knowledge that others are working on the same or similar investigations. Moreover, a security analyst may investigate a first alert and then shortly thereafter that security analyst or another security analyst may investigate a second similar alert. However, in conventional systems there is no mechanism to enable the investigation of the second alert to leverage the previous investigation of the first alert.