When an incident is reported we need to ensure the right people are involved. Some users only need to be advised; other users will be actively involved in the management of an incident investigation through to its conclusion. As much as possible this should be an automated process, albeit with the possibility of manual over-rides. Initially the collaboration will be according to the organization's pre-set requirements. TeamMacro TERSM supports three models, centralized, decentralized and hybrid. For example, the centralized model suits the situation where some "despatcher" group analyses the incident and decides who should manage the incident. This can ensure the most efficient use of resources because people are only involved when needed and the central group has the expertise to decide who that should be. In most cases, however, a hybrid model is used. In this case there is an automatic determination of who should manage the incident, for instance, the security manager nearest its location. However, others are also involved, for instance their functional manager, a country manager, and/or a central forensic group.
Apart from the default determination, there are other considerations. For example, some incident types are so critical that the chief security officer needs to be advised. Others are specialized. Examples of this are potential data protection incidents where a data protection officer should be advised. Where there are cyber-crime implications an organization may have a specialized IT team set up to investigate, and that team should be advised.
In TeamMacro TERSM, we call these notifications "invites". A user, or a group of users is invited to the incident. As a matter of principal though, at any one time there is always one and only one user/group responsible for managing the incident. However, other users may be invited to support the investigation. But what happens if the incident manager is not available, and the incident is critical? This is one example of the next level of alerting - reminders. It is possible to set thresholds by which an incident must be attended to. For instance, a manager must look at a case within 3 working days, otherwise all invitees are notified that this has yet to happen. Another example is data protection where a risk assessment must be made within a set number of hours. If no assessment is made, all invitees, which would include data protection officers, are notified that an action is overdue.
Finally, we have alerts that relate to a quantitative analysis of an incident, or even to a group of incidents. For example, if a loss is estimated to exceed a certain value one can set alerts to highlight that. As for groups of incidents, this leads into the realm of key performance indicators. For instance, send an alert if there are more than a pre-set number of incidents, for example, last month, at a location, in a country or in a business unit. By setting intelligent alerts we can gain insights that otherwise would not be readily apparent.
In summary Teammacro TERSM follows some guidelines for best practices:
- At a base level, monitoring is automated and not dependent on users.
- Smart thresholds can be set to avoid "alert fatigue" but at the same time highlighting critical events to the right people.
- Alerts are not unnecessarily duplicated. The more users see the same alert the less likely they are to take notice of it.
- Some alerts are more important than others. The alert should highlight the severity and inform the right people according to its criticality.
- It is important to separate this incident management altering from investigations themselves. We are careful to ensure that the content of the incident is not included in the alert, it is only about criticality and progress. Alerted users are directed into the system to look at the details of the incident.
In summary, alerting is an essential part of incident management and one which we have had extensive experience. TeramMacro TERSM is designed to reflect that experience, which is based not on technical consideration, but on the needs of security professional.