tag:blogger.com,1999:blog-4088979.post3062656658857593480..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Is an Alert Review Time of Less than Five Hours Enough?Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4088979.post-87675452080748763402015-01-27T13:28:10.513-05:002015-01-27T13:28:10.513-05:00It strikes me that this becomes a task of managing...It strikes me that this becomes a task of managing the ratio of signal-to-noise in the critical alert channel. The threat landscape is constantly evolving and the nature of alerts should change in response. However when *responding* to a critical alert there is little time to assess the it with a broader perspective. Perhaps it would help to have a weekly or monthly audit where alerts can be reviewed and reclassified according to current criticality. This could also present an opportunity to tweak those alerts that seem too 'noisy'.Armandonoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-62823066830565505282015-01-25T07:57:57.325-05:002015-01-25T07:57:57.325-05:00Hi Anonymous,
Good question. I've addressed t...Hi Anonymous,<br /><br />Good question. I've addressed this many times before, but not in this post. The "one hour rule" had an exception -- we chose not to follow it if we could not determine how the intruder gained access to the network. For example, if we discovered an intrusion, and could tell that we found a beacon caused by a phishing email, and we had just identified the foothold, then we would contain immediately. On the other hand, if we found a beacon, but had no idea how the intruder gained access to the network, we would recognize that the beacon and compromised box was our only "link" to the intrusion. Cutting it off immediately would be a bad idea. <br /><br />I cover this topic in chapter 9 of The Practice of Network Security Monitoring.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-52763689333276015472015-01-24T18:59:03.867-05:002015-01-24T18:59:03.867-05:00Building the expectation with seniors that all cri...Building the expectation with seniors that all critical alerts will be "mitigated" within 1 hour seems like it could could put you in a difficult situation if you have a serious breach and not some generic malware or simple situation; misconfiguration etc.. It then leads me to the following questions:<br /><br />What are you calling mitigation? Removing the box from the network?<br /><br />What happens if your alert had identified a compromise that has been present for months/weeks? Do you just perform mitigation using the information at hand within the first hour? I dont think whack-a-mole is a good strategy for IR, and I think there are definitely cases I have seen where it has put networks at a far greater risk (scorched earth).Anonymousnoreply@blogger.com