What do you do when your phone starts ringing in the middle of a meeting? Do you rush to immediately pick it up, or do you begin to repeatedly press the volume down button to silence it? Well, the answer probably depends on who’s calling, right?
Just like some calls are naturally more important than others the same is true of security incidents. A cybersecurity monitoring tool can easily generate dozens – if not hundreds – of alerts per day. However, only a fraction of them deserves your immediate attention.
Sometimes organizations become so distracted by low-priority alerts that they completely miss crucial alerts that are important. The consequences of a delayed and lackluster incident response can be severe – if not devastating.
Organizations should carry out cyber triage to ensure that all high-priority security incidents are properly identified and addressed.
Discover everything you need about managed cybersecurity triage & response in this article – including the triage definition in cybersecurity, the steps in triage analysis, cybersecurity incident examples, and more.
What are security incidents?
A security incident is any event that indicates a compromised cybersecurity posture and insufficient defense measures.
The cyber kill chain is a useful cybersecurity model that was created by Lockheed Martin to illustrate the stages of a cyber attack.
What are false positives?
False positives in cybersecurity are alerts that incorrectly indicate the presence of a threat when no real threat is present. False positives are harmless in small quantities, but they can be very problematic if they occur frequently because they can cause information overload.
What Is Cyber Incident or Threat Triage?
Triage is a medical term used to describe the practice invoked when acute care needs to be provided to patients – according to the urgency of their need for care due to insufficient resources.
What does this practice have in common with cybersecurity? A lot! Modern cybersecurity monitoring tools generate many alerts on a steady basis with a large percentage of them being false positives.
Even a well-staffed cybersecurity response team can’t possibly investigate alerts in chronological order without failing to address high-priority alerts before they turn into data breaches with huge financial and reputational consequences.
It makes sense to first take the time to order them according to their priority by practicing cyber triage because some alerts need to be addressed much sooner than others. Cyber threat intelligence is the collective knowledge an organization has about the threats it faces.
Events can be described as cybersecurity-impacting activities. The priority of each event needs to be determined first to properly respond to them. This process is called event triage.
What is a triage analysis?
Triage analysis is the evaluation of security incidents to determine which are false positives and which need to be addressed urgently. To make that determination you need to follow a protocol.
Cybersecurity Triage Steps
Let’s say you’ve identified multiple alerts, and you want to find out which ones you can safely ignore, and which are important.
To accomplish this objective, it’s useful to separate alerts into the following three categories:
- Low-priority: Alerts that are unlikely to have any significant impact on business performance or customer satisfaction.
- Medium-priority: Alerts that may have some impact on business performance or customer satisfaction, but their resolution can be delayed.
- High-priority: Alerts that are likely to have a serious impact on business performance or customer satisfaction unless resolved immediately.
So, what kind of criteria should you take into consideration when categorizing your alerts? That’s where the IT Infrastructure Library (ITIL) series of best practices for managing information systems can help.
According to ITIL, alerts can be prioritized based on the following criteria:
- Impact: How severely will the business be affected.
- Urgency: How long can the resolution be delayed.
An alert’s priority is the combination of its impact and urgency. The incident triage matrix below can help you correctly prioritize your alerts.
Incident Triage Matrix
If you’re not sure how impactful or urgent an alert is, you need to invest in cyber threat intelligence to gain invaluable insight into the cyber kill chain beyond basic malware detection capabilities.
Cisco defines cyber threat intelligence as “a dynamic, adaptive technology that leverages large-scale threat history data to proactively block and remediate future malicious attacks on a network.”
In other words, cyber threat intelligence is the collective knowledge an organization has about the threats it faces. When implemented correctly, it helps identify and prioritize all types of cyber risks – including cutting-edge advanced persistent threats and zero-day threats and exploits.
There are multiple threat intelligence tools organizations of all sizes can choose from. Choosing to partner with an experienced managed IT service provider, like Teal, can help you determine which one can meet your needs the best.
Cybersecurity Incident Examples
Now that we’ve explained how the cyber triage process works in a nutshell, we’ll illustrate it with a few examples.
Heavy Traffic on Port 80 (Low-Priority)
Port 80 is the port number assigned to Hypertext Transfer Protocol (HTTP) which is used to send and receive unencrypted web pages. Heavy traffic on this port is often caused by employees downloading content from the web. In most cases, the content is work-related and safe, but it could also be illegal content from various shady websites that are plagued with malware, so an in-depth investigation may be needed, especially if the spikes in traffic are detected after business hours.
Phishing Attempt (Medium-Priority)
It’s estimated that phishing attacks account for more than 80 percent of reported security incidents. The detection of a phishing attempt typically isn’t a highly urgent issue, but it can potentially have a serious impact on business performance. The proper response to a phishing attempt is to block the sender’s address and educate employees about the threat so they can recognize it and avoid it – even if the same or similar phishing attempts arrive from a different email address.
Malware Attack (High-Priority)
The presence of active malware is always a serious incident that needs to be addressed as soon as possible to prevent the malware from spreading. The exact steps to follow upon malware detection depends on the malware itself. Some strains of malware are relatively harmless and can be deleted using readily available tools. Other strains are designed to leave behind hidden backdoors and other unpleasant surprises.
The Goal of Triage in Cybersecurity is Clear
In medicine, triage can save lives. In cybersecurity, triage can prevent costly data breaches and other cyber risks. With the right tools and the right provider of cybersecurity services, any organization can reliably separate threats based on their priority to address them in the right order.