Computer networks and network components are frequently the subject of various incidents that are detrimental to network performance. For example, incidents such as denial of service attacks, viruses, worms, Trojan horses, and other malicious software (malware) directed at a computer network can have a serious negative impact on the confidentiality, integrity, and availability of the computer network, network components, and data within the computer network. Incidents are not limited to digital incidents, and both digital and physical incidents can have serious impacts on both physical and digital assets within a network or, more broadly, a physical environment. These security incidents result in real losses of value for organizations. Accordingly, most network administrators implement some sort of security information and event management system to handle such security incidents.
A conventional security information and event management (SIEM) environment may include a security information and event management system that reports suspicious security events to a security analyst who then manually validates the veracity of the security event, manually registers the event into the corporate trouble ticketing system, and then proceeds to resolve or mitigate the security impact of the event. In some instances, the security analyst may enlist the help of other members of the security team.
The security analyst may use established guidelines for determining the appropriate response to the security event. The established guidelines may have been prepared beforehand by senior members of the security team, and may include procedures, best practices, checklists, etc. The support and interactions of the senior members of the security team and the security analyst are thus performed in an ad-hoc fashion, in that there may not be coordination and process management tools intrinsic to the environment. These tools may be built and used by the security team, senior management, and the IT organization using third party applications and services, which may be incompatible, overlapping, or have gaps in necessary services.
The ad hoc nature of the response may result in an inconsistent event management process where the time to resolve issues may be heavily dependent upon factors, such as the skill of the senior security team in forecasting likely event scenario, and the skill of the particular security analyst performing the resolution/mitigation efforts. The open loop nature of this conventional environment may require the senior security team members to manually analyze security event mitigation efforts to extract lessons-learned and process improvements. This manual process may practically eliminate the possibility of deriving consistent and reliable performance metrics.
In response to the above and other problems of conventional security and event management environments, some organizations have developed standardized workflows to facilitate the use of consistent security operating procedures in response to detected incidents, and the automation of standard actions. In practice, however, security events or incidents are not limited to single instances. Instead, multiple incidents may be pending resolution at any given time. However, organizations have limited resources available for responding to security events. Each resource allocated to respond to a specific security incident may be unavailable to respond to other concurrent incidents, or to even maintain day-to-day operations. The allocation of resources between incidents involves inherent tradeoffs. Thus, even if workflows are standardized and certain actions are automated, there remains the issue of prioritizing responses to multiple, overlapping incidents.
Accordingly, it is an object of embodiments of this disclosure to provide an incident triage engine. In some embodiments, the incident triage engine may tie security events and incidents to a set of loss algorithms to help prioritize responses to the incidents. These algorithms may evaluate the loss of an incident with respect to the resources required to respond, the time required to respond, and predicted loss of or damage to assets. The algorithms may also then prioritize responses to incidents based on a comparison of the respective losses due to the detected incidents. In some embodiment, the incident triage engine may be integrated with existing SIEM environments.
Another object of embodiments of this disclosure is to provide systems, methods and computer programs embodied on non-transitory computer readable media for triaging incidents in a system and prioritizing responses to the incidents.