IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Baking Offenses

    Posted Wed March 06, 2019 05:08 PM
    For anyone. How much time should be allotted for an offense to be responded to? I understand that this is subjective and may be different times for specific offenses. The company I work for uses an off shore team to address level 1 and level 2 threats. I often see offenses that have been baking for a month. Does anyone have any advice or recommendations for offenses being assigned,worked, and closed in a timely manner. I realize they become inactive after 5 days but letting them sit there for a month is ridiculous. Thoughts???

    ------------------------------
    Lance
    ------------------------------


  • 2.  RE: Baking Offenses

    Posted Thu March 07, 2019 02:37 AM

    Lance,

    when Offenses don't get any attention in a timely manner, they're not relevant at all and they need to get rid of them. A Saved Search and/or a Report might be more fitting for such Use Cases. I faced many clients which outsourced their SOC responsibilities. Here it all depends on negotiated SLA (or OLA if internal). Wrong too: Getting charged by amount/number of Offenses being created within such a contract.

    Your described scenario might would be relevant again, if using an Incident Response solution in addition. For example Resilient. Then you might keep Offenses like a kind of monitoring component, but rather keep working on related Security Incidents within the Incident Response solution connected to QRadar. Offenses then are receiving an annotation and you have a kind of tracking even if they got closed untouched.

    Regards,
    Dietger



    ------------------------------
    Dietger Bahn
    ------------------------------

    Original Message


  • 3.  RE: Baking Offenses

    Posted Fri March 08, 2019 04:12 AM
    Just to add few cents to the previous discussion, agreeing with what's been mentioned.
    It is usually a best-practice/compliance requirement to have events & potential incidents reviewed on a daily basis and addressed accordingly. Post-review those would be classified and given a priority (resolution target as well).
    If you have a formalized SOC/CSIRT setup, than having track of incidents for e.g. the purpose of KPI tracking/analysis might be needed.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


  • 4.  RE: Baking Offenses

    Posted Fri March 08, 2019 04:37 AM
    I'm with you. Just, please don't call them "KPI's". It's commonly misused in Security and only relevant to ITOps. It should rather be called Key Risk Indicators - KRI's or Security Risk Indicators. According to Risk IT framework by ISACA.

    Regards,
    Dietger

    ------------------------------
    Dietger Bahn
    ------------------------------

    Original Message


Related Content