Put PICA on Notable Events


For every notable event, the analyst adds a little PICA.

What’s a notable event? It’s a record that something happened, or an alert that something is expected to happen. It theoretically requires some form of response, from “read and move on” to “read and acknowledge” to “follow this run book” to “alert the [managers|Red Team|President] and [start the clock|increase logging|take cover]”. A notable event may be an Incident or Event in ITIL terms, a Ticket in bug tracker or fry cook terms, or simply grist data for a machine learning mill.

What is PICA? An acronym borrowed from the Dallas News by Clayton Christensen.

  • Perspective: what is the importance of this event to the organization’s goals? Does it affect security posture? A service level objective? Is it a compliance breach?
  • Insight: what is the cascade potential for the risk represented by this event? this event? Does it require immediate remediation or is it just a counter to be watched?
  • Context: Is this event a one-off, or is it common? Is it more common for the grouping than the overall organization?
  • Analysis: is this type of event occurring more or less frequently than in the past?

With a special incident, the statement is clearly true: The SAN is almost full. My perspective tells me that systems are going to stop working, and my insight into those systems lets me understand knock-on events across my organization. I know the context, why we need these systems to fulfill our mission and why that is important, and I use my analytical skills to determine a course of action.

However, every firewall rule triggered alert in a SOC or breakfast ticket in a diner does not immediately require a great deal of insight. As a developer, I see your low-impact typo ticket and I fix the bug.

There is still a need for PICA on these low-or-no impact notable events. Perspective: they still consume human attention, wasting the most expensive resource in the environment.  Insight: this kind of alert is ripe for automation, and a fine place to use a machine learning algorithm. Context: Reducing the flow of useless alerts makes important ones stand out better. Analysis: cost-benefit calculation suggests spending this much time to eliminate that noise.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: