The Role of Live Event Notifications in Your Incident Response Plan

According to a study from the University of Maryland, a hacking attack occurs every 39 seconds. During a quick coffee break, your systems could be attacked up to a dozen times. Depending on how your alerts are set up, you might miss a dozen or more notifications. 

Missed or delayed alerts, and the resulting slow responses, provide attackers with more time. Every minute provides attackers another opportunity to damage your systems or steal your data. 

To avoid delayed alerts and slow response times, many security teams are adopting live event notifications. In this article, you’ll learn what a live event notification is and how to incorporate it into your incident response plan (IRP).

What Is a Live Event Notification?

A live event notification is a status update for a current security event. Live event notifications are often referred to as real-time alerts. These notifications are triggered when a predefined event or series of events is recognized by your monitoring systems. Alerts can be sent to mobile devices, workstations, administrative consoles, or via SMS or email. 

Here’s how the process OnPage process works:

• The system recognizes a predefined event.
• The system sends alerts with an intrusive, loud, Alert-Until-Read notification to the mobile device. There’s a low chance of missing or ignoring this type of alert.
• If you miss an Alert-Until-Read notification, it will escalate to another team member.
• As a method of redundancy, alerts can also be sent as SMS, email or phone call.

Benefits of live event notifications include:

• Help notify team members of potential outages or issues
• Reduce downtime and damage by enabling fast response
• An early response can limit the number of support requests
• Provide an audit trail for notifications and response

What Is an Incident Response Plan?

An IRP is a documented method for detecting, evaluating and eliminating threats to your systems. It ensures fast and efficient incident management from your response team according to a standardized protocol. 

There are six components needed to build an effective incident response plan:

• Preparation—systems are evaluated, staff is trained, and protocols are developed.
• Detection—the threat or threat behavior is detected and investigated.
• Containment—the threat is contained to prevent further harm and enable analysis.
• Eradication—the threat and any threat traces are eliminated from the system.
• Recovery—any lost services or data are recovered or relaunched.
• Refinement—feedback is collected from responders and outcomes to improve future responses.

In the context of IRPs, live event notifications typically alert to incidents although notifications can be sent for non-incident events. This may be confusing if you are used to using “event,” “alert,” and “incident” interchangeably. However, these terms are not the same. 

To clarify:

• Event—a change in the behavior of a system. For example, updated permissions or the deletion of a backup.
• Alert—a notification of an event. You should assign alerts to events that pose a risk to your system or operations, such as running out of bandwidth.
• Incident—an event that harms or negatively affects your organization, systems, or data. For example, malware download or exfiltration of data.

How to Incorporate Live Event Notifications Into Your IRP

Live event notifications can provide the greatest benefit if you embed alerts throughout your incident response planning. 

Preparation

During the preparation phase, you should identify what alerting systems you’re currently using and their capabilities. If systems are only able to send alerts to a central or proprietary console, you should consider integrating a universal notification tool. 

Notifications sent to a central console are useful but only when you are using the console. Universal notifications ensure that your team is alerted regardless of where they are or what tools they are currently using.

Once you know how your alerts are sent, you need to define which events you wish to receive notifications for. You also need to define who should get notifications and how. You should define alert recipients and types by priority. 

For example, critical incidents should trigger alerts to several modes, including mobile devices, email and persistent screen notifications. It’s also important to create a fallback system in case your primary responder is unavailable.

Detection

During the detection phase, your notifications are actually sent. Notifications should contain concise information about the event that is occurring, including time, location, the origin of the alert and the user.

Any issued notifications need to be tracked in audit logs. Data on notification acknowledgment and response times should be collected for review during the refinement phase.

Containment and Eradication

During these phases, you should use live event notifications to keep your team, employees and stakeholders updated on event response. These notifications can enable individuals to react appropriately to current conditions, such as anticipated downtime. Notifications can also enable you to dispense information in a uniform and automated way.

Recovery and Refinement

At the end of the recovery phase, you can use live event notifications to inform your stakeholders and teammates of a successful response. You can also use alerts to inform them of updated policies and requirements, such as a prompt to change passwords. 

During the refinement phase, you should use data collected on notification receipt and response to improve your plan. If notifications go unanswered, you might consider changing the mode of the alert or who it’s sent to. If notifications aren’t triggered when expected, look at your notification policies. You need to ensure that alerts are tied to events correctly.

Conclusion

Live event notifications can mean the difference between a close call and a disaster. The challenge is making sure that these notifications don’t overwhelm your team. There are many events occurring in your system at all times, many of which are not a cause for concern. To ensure that alerts don’t go ignored, make sure that only key events trigger live notifications.

Choose your events carefully and address your notifications to the right people in the right way. Limiting alerts in this way will prevent alert fatigue and ensure that your team responds accordingly.