Efficient and Standardized Alarm Rationalization for Cybersecurity Monitoring

Threat monitoring in cybersecurity systems is often jeopardized by alarm flooding, which frequently occurs in Security Information and Event Management (SIEM) solutions due to the unnecessary annunciation of numerous logs and event data from a variety of sources, including applications, network devices, firewall logs, and other sources. Cybersecurity operators may become alert fatigued and less able to respond to important occurrences due to the high volume of unnecessary alarms. Hence, for security operators to monitor threats effectively and consistently, alarm rationalization using formal and efficient techniques is needed. This study proposes a new framework for efficiently prioritizing cybersecurity alarms based on the integration of penetration testing findings with well-established industrial standards in alarm management. This is efficiently done by developing a Natural Language Processing (NLP) model to automatically map penetration testing findings to the Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) relationships, followed by alarm rationalization based on the industrial alarm management standard ISA 18.2. Verification of the effectiveness of the new integrated approach is demonstrated on a real system, which showed a reduction in the number of critical and high alarms by 38% while conforming to industrial alarm management standards in terms of peak alarm rates, average alarm rates, and healthy alarm priority distribution.