Not everything is an emergency, but anything could become one.
This sentiment is the key reason why implementing a successful alert and incident triage within your company is important. All organisations will experience an information security incident at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and reduce any financial impact. (Gov.UK)
Effective triage allows you to assess the incident rapidly and execute the correct protocol for that particular problem before it reaches a critical point. This involves understanding a myriad of security incident types, how the attacks could unfold and then the right response from your company to eliminate the breach.
How do you set up an effective triage?
Certain security threats will affect your company more than others, identifying these first can help eliminate ‘low hanging fruit’ thus allowing your business to formulate an appropriate strategy that is tailored to the most likely attack vectors.
Just some of the activities commonly recognised as security policy breaches by the ‘National Cyber Security Centre’ are:
- attempts to gain unauthorised access to a system and/or to data.
- the unauthorised use of systems and/or data.
- modification of a system's firmware, software, or hardware without the system-owner's consent.
- malicious disruption and/or denial of service.
In order to identify which threats are likely to affect your business you will need an overview of your entire system. Understanding how segregated parts of your network communicate allows deviation from this to be used as an indicator of compromise. Having an intrinsic knowledge of the ‘normal’ operating procedure allows a baseline to be created, which in turn allows anomalies to be treated with suspicion, this method is infinitely preferable to having an endless list of alerts because the lack of environmental awareness.
The key to response is simple, follow the attackers path and have a clear set of steps for each type of breach. This is crucial regardless of the attack type or method of exploitation, detect attack, follow the attackers path, and triage.
It is also important to be aware of mistakes from inside your company or threats which aren’t real - you don't want to waste time setting up an incident management system based on threats which are not the core issues that will affect you, with every system false positives are an issue; however, minimising them allows more effective incident response.
To help streamline this process and aid in setting up your system, Quorum Cyber can offer expertise advice whether it be on just one project or the company as a whole. To find out more, read about our services here.