For every notable event, the analyst adds a little PICA.
What’s a notable event? It’s more than a record that something happened, or an alert that something is expected to happen. It requires some form of response, from “read and move on” to “read and acknowledge” to “follow this run book” to “alert the [managers|Red Team|President] and [start the clock|increase logging|take cover]”. A notable event may be an Incident or Event in ITIL terms, a Ticket in bug tracker or fry cook terms, or simply grist data for a machine learning mill. A notable event should not be suppressed, but a finding can.
What is PICA? An acronym borrowed from the Dallas News by Clayton Christensen.
- Perspective: what is the importance of this event to the organization’s goals? Does it affect security posture? A service level objective? Is it a compliance breach?
- Insight: what is the cascade potential for the risk represented by this event? this event? Does it require immediate remediation or is it just a counter to be watched?
- Context: Is this event a one-off, or is it common? Is it more common for the grouping than the overall organization?
- Analysis: is this type of event occurring more or less frequently than in the past?
With a special incident, the statement is clearly true: The SAN is almost full. My perspective tells me that systems are going to stop working, and my insight into those systems lets me understand knock-on events across my organization. I know the context, why we need these systems to fulfill our mission and why that is important, and I use my analytical skills to determine a course of action.
However, every firewall rule triggered alert in a SOC or breakfast ticket in a diner does not immediately require a great deal of insight. As a developer, I see your low-impact typo ticket and I fix the bug.
There is still a need for PICA on these low-or-no impact notable events. Perspective: they still consume human attention, wasting the most expensive resource in the environment. Insight: this kind of alert is ripe for automation, and a fine place to use a machine learning algorithm. Context: Reducing the flow of useless alerts makes important ones stand out better. Analysis: cost-benefit calculation suggests spending this much time to eliminate that noise.