Problem 1: Security Operation teams, especially the junior or Level 1 Analysts spend a lot of time interpreting results from scripted events such as secondary searches, enhancements, and pivots.
Problem 2: Security teams, spend a lot of energy because the trust in automation is not there.
Solution: The Context Triage Framework
The CT Framework or CTF for short is my answer to reducing the manual work of a Level 1 Analyst and any operational Security Team. It consists of 4 main elements termed phases:
- Verification and Application
- Scheduler
- Module Engine
- Scoring Assessment and Disposition
When implemented in a SOAR platform such as Phantom, Cortex or Logichub these phases work together to ingest properly built and designated SIEM alerts, to schedule what further modules the Framework needs to apply. From there the Module Engine is built to ensure individual issues are addressed in order. The Module Engine when complete triggers the final phase a scoring assessment and disposition of the alert. Should the scoring be complete then a full disposition may occur that can judge if the alert is incomplete, a false positive, benign but true positive, something that needs confirmation before declaring an incident, or an incident. Building this in one’s SOAR platform also immediately lends the disposition to take remediation actions.
And this is where the phases help address and alleviate Problem 2 – trust. There are other Triage Frameworks out there that are kind of all or nothing. Insisting on building all or nothing – unless one wants a lot of duplicate work. Here the CT Framework allows one to build phases 1 through 3 without duplicating analyst work. When Phase 4, Scoring Assessment and Disposition is built, the switch that triggers any disposition can be left to a manual function.
By having that manual function after the Scoring Assessment allows the Security team to inspect the findings and subsequent scoring from the Module Engine and confirm or deny the accuracy of the intended Disposition.
