IBM Security QRadar

 View Only

  • 1.  Baking Offenses

    Posted Wed March 06, 2019 05:08 PM
    For anyone. How much time should be allotted for an offense to be responded to? I understand that this is subjective and may be different times for specific offenses. The company I work for uses an off shore team to address level 1 and level 2 threats. I often see offenses that have been baking for a month. Does anyone have any advice or recommendations for offenses being assigned,worked, and closed in a timely manner. I realize they become inactive after 5 days but letting them sit there for a month is ridiculous. Thoughts???

    ------------------------------
    Lance
    ------------------------------


  • 2.  RE: Baking Offenses

    Posted Thu March 07, 2019 02:37 AM

    Lance,

    when Offenses don't get any attention in a timely manner, they're not relevant at all and they need to get rid of them. A Saved Search and/or a Report might be more fitting for such Use Cases. I faced many clients which outsourced their SOC responsibilities. Here it all depends on negotiated SLA (or OLA if internal). Wrong too: Getting charged by amount/number of Offenses being created within such a contract.

    Your described scenario might would be relevant again, if using an Incident Response solution in addition. For example Resilient. Then you might keep Offenses like a kind of monitoring component, but rather keep working on related Security Incidents within the Incident Response solution connected to QRadar. Offenses then are receiving an annotation and you have a kind of tracking even if they got closed untouched.

    Regards,
    Dietger



    ------------------------------
    Dietger Bahn
    ------------------------------

    Original Message


  • 3.  RE: Baking Offenses

    Posted Fri March 08, 2019 04:12 AM
    Just to add few cents to the previous discussion, agreeing with what's been mentioned.
    It is usually a best-practice/compliance requirement to have events & potential incidents reviewed on a daily basis and addressed accordingly. Post-review those would be classified and given a priority (resolution target as well).
    If you have a formalized SOC/CSIRT setup, than having track of incidents for e.g. the purpose of KPI tracking/analysis might be needed.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


  • 4.  RE: Baking Offenses

    Posted Fri March 08, 2019 04:37 AM
    I'm with you. Just, please don't call them "KPI's". It's commonly misused in Security and only relevant to ITOps. It should rather be called Key Risk Indicators - KRI's or Security Risk Indicators. According to Risk IT framework by ISACA.

    Regards,
    Dietger

    ------------------------------
    Dietger Bahn
    ------------------------------

    Original Message