Alert-driven correlation, while important, is limited to those events that trigger on a security device. These alerts without context have the propensity to generate false alarms at a very high rate.
Confidently detecting true indicators of compromise (IOCs) in a timely manner requires the ability to consume all streaming event data, correlating alerts, and applying advanced analytics to user activity, application activity, and asset activity from all systems. The ability to actively observe and measure behaviors from data across the entire enterprise IT environment is critical to determine validity and priority of real threats.
Alert data + Behavior data analyzed together will lead to a higher degree of accuracy and capability to deliver effective, timely response to true IOCs for effective risk mitigation.