Many incident responses are conducted with traditional digital forensics approaches. While there’s a time and a place for those processes, the reality is often these should be after-action tasks, not first responses. Of far more value is what we’ll call the “attacking your incident response” approach. Attacking Your Incident [...]
Do you know what is happening to your computers? Can you tell when someone is logged in snooping around? Do you know when they installed a program? Do you know when they take data from the computer and copy it out of the network?
Each of these things can have a huge negative impact on the organization and people’s lives.
Identifying Threats in Real-Time
Cyber attacks are a constant threat to all organizations of all sizes. The ability to detect and respond to security incidents can help minimize breaches, safeguard data, and prevent disruptions to the organization. Managing alerts plays a critical role in helping security teams respond to suspicious activity, unauthorized access attempts, and other indicators of compromise.
Utilizing tools and technologies that the organization already has available will provide visibility into the networks and systems and can help the security team react quickly before threats become incidents.
Minimizing Downtime and Damage
During an attack, seconds count in protecting the organization. The longer an attacker remains undetected within a network, the greater the potential for damage and disruption. Alert management enables organizations to respond quickly to security alerts, containing threats before they can spread and minimizing the impact on business operations.
Security teams should have direct access to system logs, be trained on what to look for, have access to isolate systems, lock accounts, or otherwise respond to the threat as quickly as possible. The team needs to practice both their alert monitoring and the alert response processes to ensure they can quickly make decisions to protect the organization.
Prioritizing Response Efforts
There can be a significant number of alerts that are monitored by the security team, and it takes a fair amount of skill to review and filter out critical alerts from the barrage of logs from systems from all over the organization. Alert fatigue can cause some security incidents to be ignored, which can cause a significant amount of risk to the organization.
Proper alert management can allow the security teams to prioritize response efforts based on the criticality of the system (or data on a system), severity of the alert, and the overall impact to the organization. Prioritizing the alerts is critical to reduce the alert fatigue of the security team and help them focus on the highest risk.
Gone are the days of “collect everything and search later.” Alerts should be limited to critical activities such as the following windows events:
When the security team sees events such as these, they should investigate to understand whether the activity was expected or if it was an attacker doing bad things on their network.
The above events are just a sample of the events that should be monitored in the environment.
Tools such as an Endpoint Detection and Response (EDR) give visibility and possibly automatic response to malicious events. However, it is critical the security team be comfortable manually reviewing and understanding the events to prevent malicious actions in the future.
Preventing the possibility of malicious action is much better for the organization than responding to the activity after the fact and attempting to ‘put the pieces together of what happened.’
Meeting Compliance Requirements
Along with protecting the organization, alert management is becoming a requirement for compliance with a variety of industry regulations, frameworks, and federal laws. Many of these regulations require specific security controls to protect data and services, reporting of failure to deploy controls, and any incidents that an organization experiences.
Without alert management, the organization may not have the visibility to know when they are being attacked, know when data is accessed or removed, or be able to provide information to investigators/courts in the event of an incident.
In some cases where alert management is included in modern software, failure to regularly review the alerts and respond accordingly could be considered negligence on behalf of the organization or the security professionals.
In Simple Terms
Although the process can be complex, best practices follow two principles:
The organization needs to know what is happening on their workstations, systems, and network.
The security team needs to know what is considered normal activity, an out of the ordinary event, or an incident that may cause harm to people or the organization. They need to be trained on the alert management processes and their response tested on a regular basis.
These two principles provide a strong foundation for utilizing alert management to best protect your environment and people.
Last week cyberprofessionals and cyberenthusiasts celebrated National Password Day. Let’s be honest. The word for National Password Day for most people is “pass.” Most people will look at all the posts and articles (including this one) about the necessity of [...]
