An increasing number of data security threats exist in the modern computerized society. These threats may include viruses or other malware that attacks the local computer of the end user, or sophisticated cyber attacks to gather data and other information from the cloud or server based infrastructure. This server based infrastructure includes real and virtual computing devices that are used to provide a variety of services to user computing systems, such as data storage, cloud processing, web sites and services, amongst other possible services. To protect applications and services, various antivirus, encryption, and firewall implementations may be used across an array of operating systems, such as Linux and Microsoft Windows.
Further, some computing environments may implement security information and event management (SIEM) systems and other security detection systems to provide real-time analysis of security alerts generated by network hardware and applications. In particular, SIEM systems allow for real-time monitoring, correlation of events, notifications, and console views for end users. Further, SIEM systems may provide storage logs capable of managing historical information about various security events within the network. Although SIEMs and other security threat identifying systems may generate security alerts for devices within the network, administrators may be forced to translate each of these alerts into particular actions, which takes time and resources. Further, notifications of incidents may not be helpful in determining which administrator of a plurality of administrators should be responsible for reacting to a security incident.
Overview
The technology disclosed herein enhances how security action recommendations are provided to administrators of a computing environment. In one example, an advisement system for managing service level agreements (SLAs) for security incidents in a computing environment is configured to identify a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with one or more action recommendations to be taken against the security incident. The advisement system is further configured to identify a default SLA for the security incident based on the rule set, and obtain environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.
In some implementations, the default SLA and the modified SLA each comprise a hierarchy of administrators to respond to a security incident, and a set of one or more time periods for administrator selected actions.
In some implementations, the advisement system may further be configured to provide the action recommendations to administrators based on the SLA determinations for the security incident.