Deciphering InfoSec - events, alerts, and incidents

What are Events, Alerts, and Incidents

Deciphering Infosec Speak as an MSP

Cyberthreats are growing more sophisticated, and organizations rely daily on their MSPs to protect their business and data. Part of building a robust cybersecurity strategy is to implement preventative measures such as 24/7/365 monitoring, threat hunting, and event logging. Having a streamlined combination of these measures means you and your clients can stay ahead of threat actors and stop attacks and breaches before they become full-blown disasters. 

The key to ensuring this streamlined approach is clear communication. As an MSP, agreeing on standard definitions with your clients allows you to take the right course of action depending on the type of behavior. Collaboration helps to establish the means to consistently identify behaviors taking place in their IT infrastructure. However, the challenge is that the information security (infosec) world is laden with terminology. Further, terms and definitions seem to differ between products, ideologies, and even companies. 

What happens when there is poor communication and no standard definitions for terms?  

  • Unclear incident management thresholds leading to alert fatigue 
  • Time wasted determining false positives 
  • Increased risk of missing early critical alerts 
  • Inefficient workflows and communication during security incidents 
  • Inconsistent documentation/record of incidents 

Having proper definitions and an understanding of common infosec terminology can mean all the difference when cyberthreats are at the doorstep. In this blog post, we provide standard base definitions for the most often used (and confused) terms when talking about monitoring an IT environment. While each organization may add specifics to these terms depending on their policies and requirements, here are the fundamental aspects of each term and how they differ. 

Events & Incidents – Information about a Behavior 

Events are simply information about observed actions and changes in an IT environment. These can include changes to a system, device, process, or user behavior. Events capture behaviors that may be benign and typical of an organization’s daily operations, or they could be the first indicator of a breach. Organizations may log hundreds and thousands of events per day. They can be broken down into three types: 

  • Information – Data recorded for monitoring purposes. Security teams check these events to ensure regular operation of IT services. 
  • Warning – Data indicating something is nearing a set threshold. Security teams take action to assess and triage as needed. 
  • Critical – Data indicating something has passed a set threshold. Security teams take immediate action to identify, detain, mitigate as needed. 

Incidents are events that negatively affect an organization’s IT infrastructure leading to problems with maintaining confidentiality, integrity, and availability (CIA). Not all events are incidents, but all incidents are events. Incidents may also be a combination of multiple events. Without immediate action, incidents can severely impact an organization’s core business processes.   

Notifications & Alerts – Communicating a Behavior 

Think of notifications as general information about events sent to a receiving platform or team for further assessment if needed. They communicate information about unremarkable changes and behaviors in an IT environment. Generally, notifications do not represent risks or anomalies in a system and don’t require immediate attention.  

Alerts, however, do require urgent action from a security team. These are special notifications that deliver information about a warning/critical event or a developing incident. The purpose of alerts is to call to attention actions that are close to or have already passed pre-established security rules, profiles, or thresholds. Warnings/critical events and incidents trigger alerts so that the information is relayed quickly to the responsible party for immediate assessment, communication, and action. 

Alerts are a crucial element during incident response as they can cut down response time. Most issues, when detected early enough, can be detained and removed from a system before threat actors can even launch their attack or exfiltrate sensitive information. Also, they allow for a smoother communication flow between the security team and the client so that any critical decision making can be carried out in a timely manner.  

Avoiding alert fatigue 

It is important that you work closely with your clients to establish appropriate thresholds for alerting on events and incidents. For example, alerts can be expanded to include detailed information about events, or they can be filtered and suppressed if deemed repetitive or redundant. Alert fatigue occurs when thresholds are set too low. In this scenario, security teams must spend time cutting through the noise and weeding out false positives. 

Alert fatigue can also cause teams to miss early indicators of threats or lose out on valuable warning time needed to take preventative measures or escalate. To combat this risk, more MSPs are leveraging Managed Detection & Response (MDR) services which provide actionable alerts in real-time to close the gap between the earliest discovery of threat and an impending attack.  

Summary 

Understanding the key differences and relationships between events, incidents, and alerts has more than just semantic value. Using common terminology ensures that communication channels between you and  your clients are as clear as possible. By agreeing on standard definitions, MSPs can ensure security and compliance are a collaborative and cohesive process. In the long term, this is a significant boost in establishing  your reputation for offering trustworthy services. 

How to Protect Yourself and Your Clients 

Eliminate cyberthreats before they take root in your network. Blackpoint Cyber’s true Managed Detection & Response (MDR) service delivers real-time threat alerts and immediate response. Our experienced team responds 24/7/365 to critical alerts by isolating infected devices and terminating malicious software, immediately helping to eradicate a malicious actor’s foothold in your network.

Further, our patented SNAP-Defense Security Operations & Incident Response platform allows us to detect lateral movement in its earliest stages and then neutralize threats before they have a chance to spread. Trust our decades of extensive knowledge in real-world defensive and offensive tactics and contact us to safeguard your and your clients’ businesses today. 

BlackPoint Cyber