Analecta Cyber Company Blog: Defining Incident Thresholds Before They are Needed

2018-05-15

Defining Incident Thresholds Before They are Needed

Defining Incident Threshold article header graphic - Analecta LLC Imagine this scenario: Hackers have compromised critical business systems and are exfiltrating data on your company’s network! Do you allow the activity to continue and observe so you can remove any and all possible access? Or, do your pull the plug from the public Internet to stop the intrusion?

These choices represent opposite ends of the spectrum for dealing with active threats; there are many different options between the two. Depending on your particular situation and your business model, you could be justified in taking any of a number of different actions. How will you know which direction to take?

Drawing a “line in the sand” with an incident threshold


Understanding how to respond to a cyber incident involves gauging the severity of the incident in a predetermined manner and having matching response plans. An incident threshold is the “line in the sand” where a specific activity is determined to be a potential security event based upon pre-set conditions. This can take the form of a fixed threshold – a specific metric that exceeds a set limit. Some examples include state-based thresholds, for example, when a device changes from a “running” state to “stopped” state; and historical thresholds, like a system exceeding typical network usage by 120%.

Choosing from the spectrum of different responses that will coincide with your company’s potential for risk is a delicate undertaking. This is why the role of the Chief Information Security Officer (CISO) is so vital to businesses. They are tasked with setting appropriate thresholds based on the impact of the incident and the cost of the response.

A list of least- to most-drastic incident responses may look like this:
  1. Observe: Allow the suspicious activity to continue and observe the network traffic carefully.
  2. Isolate: Isolate a single host and allow the activity to continue under observation.
  3. Remove: Disconnect a single host from the network, perform response/recovery actions on the host, and closely monitor the rest of the network.
  4. Isolate+: Isolate or disconnect a group of systems (like accounting department or payroll), and add temporary additional network controls, such as restricting hours of operation and which users may log into the network.
  5. Remove+: Disconnect critical business assets, and perform response/recovery actions on those assets.
  6. Offline: Pull all external network connections and initiate a full stop of Internet-enabled business activities
Incident Threshold Risk Meter
Incident thresholds are pre-set conditions that help security personnel resolve risks to the business

Observation and isolation are the simplest actions to take but allow the suspicious activity to continue–potentially putting the company at greater risk for data loss. Taking a single host offline or isolating a department’s systems will have direct impact on employees and may cost the company business productivity, however, it is reducing risk from the potential breach. The last two options can be considered a complete business shutdown and will be the most costly in terms of recovery actions and loss of business revenue. However, they are the only “guaranteed” way to stop an attack.

With each of these responses, the CISO and others need to determine what event thresholds should initiate a response, and which response makes the most business sense. For example, suspicious activity on one host may initiate an observe and/or isolate response. A broader compromise, like many hosts communicating with known malicious servers or suspicion that you’re losing a significant amount of protected data may elicit a full-disconnection response.

Having an action plan in place before it is needed


Decide on the appropriate level of response before an incident occurs. While there are many different inputs to consider when determining incident thresholds, cost is typically one of the largest factors to consider. The cost of a response should be consistent with the level of impact of the incident. If a critical server goes offline, the meter now starts with how much it is costing the company being down. Then there is the cost of bringing it back up. Is it more effective to pay the overtime of an internal employee or the service charge of an external agency? Depending on the criticality of the server, it may be worthwhile to pay for an incident response team if it gets your operation up and running faster.

If your company conducts business through the Internet, you will need to determine the cost of keeping that critical resource up. That cost, in terms of data loss or additional compromise while resolving an incident should be weighed against the financial loss you would sustain if you had to disconnect. Smaller-scale intrusions might be remedied on the spot, but others may require more drastic measures. How much revenue will you lose every hour your enterprise is disconnected from the Internet? Even if you don’t think your business requires the Internet, how long can you operate completely disconnected: 1 day? 30 days?

Putting decisions to paper


In order to set appropriate incident thresholds, you need to understand your organization’s tolerance to risk. These are business decisions that require input from leaders across the organization. Understanding the organization’s objectives as well as identifying security priorities will be a key step in defining your incident thresholds. Combine risk analysis with technical detection strategies in order to shape incident thresholds that will give your security team the best possible chance at stopping the data breach and ultimately reducing cost from an attack.

Once you have decided what your incident thresholds are and the appropriate response actions, clearly communicate and document the plan to your security team. All of this planning does you no good if your incident response team lacks access to it when the alarms are blaring. Your security team should know exactly what actions to take, in what order and the impact it will have on the business.

Building a complete cybersecurity plan


Analecta can help guide your incident response and incident threshold planning with a comprehensive look at all security practices within your organization and around high-risk assets. We have devised a 96-point Cyber Risk Assessment that asks tough, realistic questions that can identify the most critical next steps in your firm’s cybersecurity program to maximize protection. The Cyber Risk Assessment is designed to enable small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact.

Email us at info@analecta-llc.com or visit our Cyber Security website. We are here to help!

Further Resources