18 Sep Why the difference between alerts and incidents matters, when minutes count
By JP Bourget
The recent Equifax breach is leading many organizations to re-evaluate their own capabilities to prevent, detect, and respond to the earliest signs of similar breach scenarios. While there’s debate as to how to prevent such intrusions, almost everyone agrees the process of detection and response here was too slow. How can firms without the vast resources that Equifax has solved this problem affecting such a large credit bureau? The answer lies in a better understanding of a key distinction most Security Operations teams are missing – how and why to treat security alerts and security incidents separately, and differently.
The medical term triage is particularly useful for illustrating why security operations centers (SOCs) need to separate how they handle alerts and incidents. These terms are often used casually and interchangeably – particularly when associated with analyst “fatigue.” However, no one should lose sight of the fact that alerts pertain to potentially suspicious or malicious activity underway against an organization. Incidents are a bit more concrete; generally qualifying that something adverse is about to happen, or is happening to a system processing, storing or transmitting sensitive information – unless an action is taken to mitigate the consequences.
When incident responders anywhere co-mingle these terms, they dramatically increase the existing workload, stress and error rate of their actions. Medical experts encountered this problem first and created universal triage protocols to sort injuries and ailments according to each case’s needs and the benefit of different treatment actions.
This is why patients arriving at the emergency room are not greeted by the hospital’s most specialized surgeons or equipment, by default. Instead, staff performs triage to assess reported symptoms (“alerts”) and relevant factors like age and medical history to sort out cases’ severity and decide what types of “incidents” are underway. This is where heartburn is separated from heart attacks – reserving scarce specialists and lifesaving equipment for only those urgent, priority cases requiring this elevated, more expensive skillset and immediate action. It is crucial to note that human beings, not software, take the lead in medical triage. Technology simply adds speed and accuracy to professionals’ know-how and experience.
Assess and act faster – then repeat
Advances like telemedicine extending and orchestrating triage at massive scale are an exciting area of healthcare because data suggest they improve the quality of care while slashing unnecessary costs. The benefits of this are hard to overstate. In addition to saving lives and optimizing resources, digital triage becomes a powerful “system of record,” documenting every action in treatment. This is invaluable for documenting compliance with standards and identifying areas for continuous improvement.
From the ER to the SOC
At Syncurity, our team thinks of transformational shifts like telemedicine as we help customers optimize and integrate people, processes, and technologies inside their SOCs to realize better cybersecurity outcomes. Our IR Flow platform redefines incident response by empowering existing security staff to accelerate and prioritize actions in response to the most urgent cyber threats. As in frontline medicine, we are not out to replace SOC staff. Instead, IR Flow keeps skilled humans in the loop to magnify their contributions and capitalize on hard-won knowledge.
Security analysts and investigators rely on IR Flow to separate alert triage and incident handling, taming otherwise overwhelming volumes of information generated by layered security products. Analysts designed IR Flow’s alert handling workspace, or “Triage Queue,” to enable accurate inspection of alerts and facilitate rapid decision-making. Here, a patent-pending Triage Scoring Engine complements analysts’ knowledge by modeling specific business risks to customers’ enterprise and dynamically scoring alerts. The benefits are the same when having a patient’s medical history available digitally can expedite and improve the accuracy of the triage process, and automatically compiling all relevant data associated with a security alert for a skilled professional to review and act upon.
For those alerts escalated to incident status, IR Flow’s dedicated Incident Workbench lets security teams use recommended and customized security “playbooks” to more cohesively and conclusively contain and mitigate urgent risks with the controls in their current security and IT stack. The orchestration of these playbooks across the security and IT infrastructure are automated where possible, further minimizing the time it takes to mitigate risk.
Just as pivotal triage principles help remote clinics and urban hospitals alike, IR Flow’s rich features and interoperability were created to scale with any size security team. Instead of dictating how SOCs function with arbitrary ideas and lock-in, we take a “bring your own enterprise” philosophy that keeps prized, human experts in control – so workflows can always be updated as necessary and teams can introduce automation and orchestration on their terms.
In security and medicine, the goal should always be to empower and force-multiply skilled professionals, not replace them. Contact us if you are interested in joining this cause and reach out to us on Twitter, LinkedIn or Peerlyst to share your own take on triage.