Timely, Consistent, and Accurate Event Handling

One of the things that we see when responding to security events is that each event is unique, which makes it interesting. There are silos, for example within DLP we have egress unencrypted email attachment as one silo, then have egress unencrypted one’s own personal information, egress encrypted potentially secret, egress unencrypted secret, and maybe one or two others. Below is a chart for the Private Information Domain when performing data leakage prevention measures and analyzing data coming in but only one domain. There are others related to egress of company secret IP and other types of information that should be encrypted via email. Continue reading Timely, Consistent, and Accurate Event Handling

Consistent Event Management

The balance in handling incidents comes in at the analysis phase where you start out looking for anything, but even parts of this phase involve procedures – ensuring that triage is complete, the required level of system isolation or sandboxing is setup, backup copies are preserved, and other details. Up to that phase, where events are raised, reviewed, and escalated/closed requires a consistent approach, because during the event handling phase inconsistent handling could break down the whole basis for reporting the incident in the first place. Incidents require resources to review, analyze, report, and close, and most of those resources are not expected to handle incidents full-time. Continue reading Consistent Event Management