Even when an alert appears to be a false positive, it is vital to follow investigative and incident response procedures. Fortunately modern solutions leverage AI and ML (machine learning) to minimize the number of false positives. This helps fight alert fatigue to ensure your team spends less time with low probability alerts and focuses on alerts with a higher likelihood of being legitimate. Whether an alert is a false flag or not, your team gets to practice handling it.
Ensuring a proper follow up every time helps the team prepare for a big incident. There is no time to be flipping through the incident management procedures when a real attack happens. By practicing them every time, the team is continuously drilling the process. It becomes ingrained in the team, and working together becomes second nature. When your Super Bowl (an actual attack) happens, and it will eventually, they are comfortable with their roles and responsibilities — which makes them prepared to face it.
Lesson 4: Review the Film
Successful football teams go back after games to review how they performed in the last matchup. The first and obvious lesson in cybersecurity is to study how incidents are managed. Whether there was an actual attack or it was a false positive, this is an opportunity to take a critical look at performance. This evaluation generally takes the form of a brief meeting after the incident. This meeting aims to identify current gaps, streamline processes, and improve the program over time — providing a chance to collect feedback and make necessary changes.
Reviews are an iterative process, and each new incident will come with unique takeaways for improvement. It is crucial that these meetings don’t turn into finger-pointing and name-calling. Instead, objectively identify weaknesses and work as a team to resolve them. If a single person failed to call the right play, use it as an opportunity to share guidance, not place blame.
The other half of this lesson is to keep a close eye on the opposing team’s actions on the field. How did they react? What’s in their playbook? Training your staff in offensive security techniques, watching threat reports, and following “hacker” news is part of staying on top of the security game.
Being aware of the attacks occurring worldwide and across your industry gives you an advantage. When you understand the competitive plays, you can help your team stay prepared for what’s to come. Once an attack is out in the wild, it will not take long before some bad actor brings something similar to your doorstep. By researching and staying on top of what is going on with the attackers, you can avoid being blindsided.
Play to Win
The primary goal of any infosec team is to win every time, no excuses. And the right approach ensures success on — and off — the field. It requires a combination of the right fundamentals and iterative improvements to your roster and playbook along the way. To recap:
- Build a solid defense
- Cultivate the team
- Consistently follow best practices
- Review your mistakes and learn from them