Actionable alert identification
1. Actionable alert identification
How do you know when you need to respond to a potential security incident? In this video, we'll explore how cloud security professionals identify actionable alerts. The incident response process has three steps. Actionable alerts start this process in the identification step. In this step, you begin to understand what event has occurred. Keep in mind that events happen whenever there’s an observed change in normal operations. Alerts are notifications of the change. Actionable alerts can turn into incidents based on what happens in the event. As a refresher, an incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. As a cybersecurity professional, it's important to be aware that an incident is something that negatively impacts an organization's normal operations and requires a response. Consider this scenario. Failed login events in Cloud Identity software happen frequently and are a normal occurrence, so they may not trigger alerts. There are also abnormal failed login events that do trigger alerts, because someone tries logging in multiple times. For example, this may happen after returning from a vacation. This is an alert that you note, but it requires no action. One day, you’re alerted that a user has a large number of failed login attempts in a short period of time, during their workday, from an unfamiliar IP address. This has become an actionable alert that requires you to respond by initiating the incident response process. To help with incident response, security tools provide quick insight into actionable alerts. These tools scan for vulnerabilities and emerging threats, and alert accordingly. For example, say you’re alerted when there’s a high volume of traffic on the network. It becomes an actionable alert or incident when the traffic is coming from protected data storage from an unauthorized user. You know this is an incident because there is a trigger for the protected data storage and another trigger for unauthorized users. Metrics offer great insight into the happenings of a cloud environment. They can be used to measure the what and how of an event related to an alert, enabling you to quickly identify the issue. For example, say you need to know if there is high CPU usage outside of regular business hours. You can use metrics to identify the what of the alert, which is the CPU usage, and the how of the alert, which is high activity outside of business hours. Let’s introduce three Google Cloud tools and services to help with managing events, threat detection, and alerts. First, the Security Command Center. The Security Command Center is a security posture and risk management platform that gives insight into configuration vulnerabilities and incoming threats. Second, Cloud Logging. Cloud Logging is a Google Cloud-managed platform that allows you to store, search, analyze, monitor, and alert on logging data and events. Alerts can be ingested from many cloud platform vendors, and also from on-premise resources. Third, Chronicle SIEM. Chronicle SIEM is a part of the bigger Chronicle Security Operations. Chronicle SIEM collects security data and helps you identify the highest priority threats. While security tools, —including Google Cloud tools— are essential to any successful security operation, incident response is still a process that’s initiated by security professionals. When starting an incident response process, it's important to first capture the event or alert. This requires you to think about the information, its impact, where it came from, and how it affects normal operations. You must document and investigate events early, even if you're not sure if they're actionable. This will help you communicate clearly with your team and start an incident response process if needed. This video covered events and alerts, their place in incident response, and how security professionals assess and document findings. To be a thoughtful, action-oriented professional, you need to understand the tools and the information they provide, and how to interpret events and alerts. And by considering each alert’s origin, purpose, and impact, you’ll have the information you need to decide what actions to take.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.