Test Alerting and Action Plans

Breach resilience takes practice

Every security team knows that defenses are comprised of people, processes, and technology. However, typically the technology component is what receives all the focus. While having the right tools in place is critical to thwarting infiltration, providing strong segmentation, and preventing data theft, tools alone are not enough to build true breach resilience or response.

Whether using in-house staff, or a managed security services provider (MSSP) for security operations, teams need to be able to respond to threats quickly, and with proven processes to minimize business risk. Often, defenders rely on SIEM alerts and Service Level Agreements (SLAs) to drive this process of human response and business resilience. However, in today’s world of constant attacks, both alerts and the actions they are meant to drive must be validated regularly.

The fallacy of the security SLA

Operations teams typically operate with an agreed-upon timeframe in which they will address, investigate, and report on threats. This window of time helps to drive response, and ensure that the overall business has the information they need to properly take action to stop attacks, or to communicate publicly if necessary about breach activity.

Even the best teams, with the tightest SLAs, can only act if they are alerted appropriately. Defenders cannot be expected to leap into action if their monitoring and detection systems do not appropriately indicate threats. But only rarely is holistic validation - across people, processes and technology performed in advance. In fact, all too often, the first time that alerts and procedures are tested is in when a business is actually under attack.

In the case of actual attacks, teams need to act quickly to protect critical resources, and in the unfortunate event of an actual breach, companies need to know how to proceed to limit the data at risk.

Validate alerting and action in advance

Breach and Attack Simulation from SafeBreach can exercise the alerts, people, and processes that truly make a business resilient to breaches. SIEM integration means that all events can be traced back to the attack simulations that triggered them, as well as to which security controls did - or did not - prevent those simulations.

With alerting validated, defenders can then run drills with specific campaigns, or subsets of the Hacker’s PlaybookTM. See how alerts based on specific attacks drive action, and ensure that SOC teams have the alerts they need to meet their SLAs. By simulating attacks, SOC and MSSP teams can perform breach scenario training before a real attack occurs, to validate action and alerting plans.

Ensure that all of security is working as intended - not just the tools. Validate teams, design breach and alerting protocols, and build true business resilience against attack.