WHY CRITICAL ALERTING IS A MUST HAVE FOR INCIDENT RESPONSE TO BE EFFECTIVE
At OnPage, we spend lots of time thinking about how to apprise people about the importance of critical IT alerting. So when our CEO Judit Sharon emailed me about an upcoming webinar from HIMSS entitled: Incident Response is the New Black – A Must Have For Your Security Strategy, I was intrigued. I wanted to know how the speaker would entertain alerting in incident response.
As it turned out, while the webinar was fascinating, the discussion focused on response dictionaries and procedures and did not mention critical alerting at all. I was left wondering, why would an organization focus solely on incident response to save their IT? How can an organization have an effective incident response platform without a critical alerting platform? In the vein of fashion, wouldn’t the scenario be like having pants but forgetting to button them? If you forget to button your pants, they will fall down. Without proper critical alerting your response posture will crack.
The pain of attack
The real pain caused by attacks is the reason so many IT offices – either as sole practitioners or as centers within hospitals, law offices or other businesses – are focused on incident response to security events. And a simple look at the statistics is enough to shock even the most even keeled of IT professionals. According to recent stats:
- In 2015, nearly 300 million records were leaked and over $1 billion stolen
- Last year, 2500 cases of ransomware occurred and cost $24 million in the US alone
- Companies saw an average of 160 successful cyberattacks per week last year
- Kaspersky Lab reports that the average direct costs of a security breach on a small business is $38,000. This total includes the costs of downtime, lost business opportunities and the professional services small businesses hire to mitigate the security breach.
- Reports show that when a breach occurs, it’s often because an employee left the gate unlatched. Inside employees are the largest culprit of security breaches
To handle the breadth and impact of these incidents, IT centers develop robust policies to handle these situations. The companies develop playbooks and procedures. Yet when an inside employee enables an attack and the breach occurs, rather than receiving a persistent and immediate alert, the on-call engineer simply receives an email or a phone call. Maybe they also get a text. How well do you think an alert through one of these channels performs in getting the attention of the on-call engineer?
From pain to plan: Using critical alerts and playbooks
If an IT center or office has intelligently designed their principle of least privilege (POLP) whereby they provide only the access an individual needs to perform their job, the organization will have a strong sense of what privileges are enabled and who has what access. The organization will also have a strong knowledge of what is considered normal and what is considered anomalous behavior on their network.
POLP enables preemption of both malicious and accidental breaches by narrowing the list of possible points of exploitation –which in turn narrows the list of possible users that might be suspected or held accountable. When an alert does occur because someone has improperly accessed a point on the network, OnPage will allow officials to recognize critical situations in real time.
Critical alerting enables:
- Persistent alerting
- Alerting of the right individual rather than alerting to the whole team
- Escalation when the primary responder is not available
- Insight into the site and exact nature of the breach
- Audit trails to enable follow up on response time
Security officials can then turn to playbooks to know exactly the steps they should follow. Excel is not a viable option for playbooks. Instead IT staff need a robust database which enables them to:
- Articulate normal operating parameters and what constitutes anomalies
- Identify the nature of the alert
- Understand network baselines and how to handle situations that deviate from it
- Identify roles and responsibilities within the organization and what must be done when anomalies are detected
- Include contact information
- Design eradication and recovery procedures
- Conduct a post mortem when events occur
An effective incident management system (IMS) will combine these capabilities with a robust alerting system like OnPage. When endpoint and network monitoring systems are integrated with OnPage’s critical alerting platform, responders are immediately notified of anomalous events.
Measure, Evaluate and Update
After the attack has been alerted to and resolved, it is important to implement a post-mortem to review how well the team performed. As part of the post-mortem, teams should look at how long it took them to recognize the attack; how long it took them to alert to the attack; how long it took them to respond to the attack; and how long it took them to resolve the attack. By knowing these metrics, teams can minimize their Mean Time Til Resolution (MTTR).
Additionally, by reviewing MTTR, teams will have a metric by which they can review their response time to other incidents and see what impeded or improved their response time. Only through acknowledging the importance of this metric and bringing it into the IT wheelhouse, can teams respond effectively.
Without the addition of the OnPage critical alerting platform, an IMS is just a pair of pants without a button. IMS needs OnPage to keep its pants on.