Event Management Workflow

A DashMagiq Approach

When implementing a new security technology or process, such as data leakage prevention (DLP) solutions, or trying to get a patch management program started, we immediately see additional human resource requirements in medium or large sized organizations. Here are the main reasons why and how to overcome the human resource requirement and workflow challenges.

Evaluating DLP Related Events Does Require Human Intervention

Most current DLP solutions, such as McAffee and Symantec, offer the feature to send the events to a single mailbox or multiple mailboxes. This is an important feature and necessary to make sure there is human intervention. Since you can control the flow of email, add another feature that controls the workflow through email updates. That is exactly what DashMagiq does.

Need to Respond Timely, Consistent, and Accurate

In this rare case, this is where human excel in accuracy, because events need to be reviewed in context. Was the private data sent out a list of friends from high school? Not employees nor customer data? In DLP systems these kinds of false positives that need to be confirmed by humans are not a rare event. If there really is a legitimate leakage that needs escalation to incident handling, or handled as an employee warning, you want human intervention. A workflow that pushes the event handling process ensures consistency (in handling) and timely responses.

Incident Response Escalations are Standardized

True, which means the underlying event management workflow should be standardized as well. Sometimes we tend to think that such a response mechanism doesn’t need that much attention; downplaying that it is a critical frontline security duty. Event management and that workflow is the very front line, which needs to be just as effective and accruate as a larger incident response. This is where workflow tools are very effective and can make the incident reporting, additional remedial training, or any other management actions smooth.

Workflow in Event Management and Incident Reporting for DLP

Most DLP implementations that I have seen entail setting filters, alterts, threshold settings and tuning false positives, then email notification settings. Most out of the box implementations setup to the email owner’s manager and some central security events mailbox. While sending the notification email to the manager does not come with a human resource cost – it is the email that goes to the security events mailbox where a security staff becomes a requirement.

Typical DLP Workflow

In an organization of about 7,000 people, our DLP review staff was a full-time job for one staff, then of course, you have to designate backups. The security staff would have to follow a workflow depicted above. Basically, contact the business manager that was notified, then confirm counseling with the employee. While that was going on, she would inform the CISO and they would determine incident or not. Then the business manager would come back to the security staff… you get it.

This process can take a couple days to closure because two steps are actually a conversation in between. How about if we just sent emails according to a workflow, so that simple forms could be filled in with responses? It would eliminate the security event mailbox, but send emails directly in proper order to various reviewers along the review workflow.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s