Jumpstart Incident Response

The people have spoken. “We want [real] alert relief”.

In my previous post, Never let your guard down, I emphasized the need for a security operation process to better face known and unknown attacks with automation and hunting. However, I intentionally left out a key ingredient… THE ALERT (or incident or indicator or investigation or whatever you call it). Before an analyst can make a decision and assign an appropriate course of action (automated or manual), they need to understand what they’re looking at, where the alert came from, what triggered the alert, who is involved, what is involved (e.g. server, host), were there any similar alerts in the past, … you get the point. The major challenge in answering these questions lies in the current state of siloed bursts of context-unaware alerts and the transition to context-aware incident management. There is an obvious need to give THE ALERT, some well-deserved, first-class citizen treatment!

Looking back about twenty years ago, security analysts were also outnumbered by the volume of alerts generated. However, one (huge) difference was the attack surface. The increasing attack surface across cloud infrastructure-as-a-service (IaaS) and cloud applications (SaaS), mobile, virtualization, BYOE(ndpoint), Industrial Control Systems (ICS) and general OT environments is more open than ever. This triggered an exponential growth in alerts created. The capabilities to support that explosion of alerts (what we all know as alert fatigue) lagged behind.

Which led me to ask, what are the most common actions a (Read more...)