If IDSs or other rule about security monitoring is triggered, according to the severity of the attack, it will eventually indicate event (Event) or alarm (Alert). The purpose of the alarm is to notify the administrator of the issue.
There are three common alarm modes.
- E-mail alarm
This is the cheapest alarm mode; you can set up an SMTP server to send alert messages. When a monitored event occurs, you can call the Mail API to send an e-mail alert. However, real-time e-mail alerts are slow, because the mail server may be busy, resulting in delay or loss of e-mail messages. However, the benefit of e-mail alarm is that the alarm can be rich in content, that is, contain essential details.
- IM Alert
By calling API from IM, you can trigger an IM alarm. If the company does not have an IM software, you can also use some open-source IM. An IM alert is relatively better than a real-time e-mail of alert, but the length of an IM alert is limited when compared with e-mail.
- Message Alert
With the popularity of mobile phones, message alert has become an increasingly common method of alerts. Message alerts need to set up with SMS Gateway or with websites that provide SMS services. Message alert is the best in real time. Administrators can receive alarms wherever they are. However, the length of a single SMS is also limited, so the content is generally short and pithy. When the monitor and alarm are established, you can begin to develop the emergency response process. This process is necessary for rapid processing in the event of the emergency security incidents. Oftentimes, lack of emergency response processes or improper implementation of an emergency response plan results in huge losses. To establish an emergency response procedure, we must first create an emergency response team, who will be solely responsible for emergency security incidents and resource coordination. The team should include: Technical Leader, Product Leader, The best understanding of technical architecture, a senior development engineer, Senior network engineer, Senior system operation and maintenance engineer, Senior DBA, Senior security expert, Monitor engineer, Corporate communication
The team’s main task is to figure out the causes of the security issues and coordinate necessary resources as soon possible. Therefore, the team may expand accordingly.
Panel members should include public relations officers, because when an incident impacts the public, they must be informed. The public relations officers should consult the security experts to learn about the threat before releasing the news. Since the general public may not understand the technology, the message should be conveyed in a clear and understandable manner.
When a security event occurs, it should first be notified to security experts, and security experts should collaborate with the emergency response team to deal with the issue. Dealing with security issues has caveats that are discussed in the following. First, we need to protect the scene where the security incident occurred. Due to lack of guidance on how to keep a security incident scene undisturbed, engineers may interfere with the scene, which makes intrusion analysis and subsequent analysis for assessing the damage difficult.
When an invasion occurs, do not panic. You should first figure out what damage the intruder has caused and then assess the damage. A more reasonable approach is to make all compromised machines go offline and conduct offline analysis. Second, deal with the problem as soon possible. When the emergency response process begins, we should utilize the time to find suitable resources and develop appropriate plans as quickly as possible. For this, we need to get technical directors and experienced engineers in the field to join the response team. After the establishment of the emergency response process, it is good practice to conduct one or two drills to ensure the effectiveness of the process. This is essential in the safe operation.