- SOAR 101
For a few minutes on November 2nd, the most famous Twitter account in the world went offline. The account in question was of course @realdonaldtrump. Twitter was quick to attribute the incident to nonspecific “human error”, but soon after clarified that a rogue customer support employee deliberately disabled the account on his last day with the company. The New York Times later confirmed that the employee was, in fact, a contractor, not a full-time Twitter employee.
The fact that a junior contractor could silence the US president—even if just for 11 minutes—does not suggest good things about Twitter’s internal access controls. It is not hard to think that a much more serious incident could have arisen from this scenario. What if the contractor had hijacked Trump’s account and announced a military strike against North Korea, or attacked a company in hopes of cratering its stock?
This type of incident underscores that a converged approach is needed for both information security and incident response. Incidents like lost laptops and restricted area breaches have severe information security implications, and require a fast and consistent response, just as any malware or DDoS attack would. This approach is necessary to cover many common scenarios that might occur hundreds of times per year in a large organization. Terminating a contractor with access to user accounts, for example, should trigger some common-sense safeguards. Unfortunately, many incident response platforms provide a narrow toolset focused strictly on network-based cybersecurity threats, leaving their users to scramble whenever these “converged security” scenarios and incidents occur.
As mentioned above, information security incidents don’t always start in the SIEM, or involve malware and phishing scams. Lost laptop incidents and terminations of employees with access to valuable information need to be carefully managed—and D3 is designed to help you do that.
For example, whenever an employee or contractor is leaving the company, D3 can be used to generate a checklist of information security tasks that must be completed. Common tasks include removing database and application access, and returning company laptops, smartphones, and facility access cards. If a task from the checklist is not completed—such as disabling the employee’s Salesforce access—it can automatically be flagged for completion, sent to a manager, or even escalated into a D3 Incident Record. Integration with ITSM tools and asset management databases can further streamline these activities.
You might not have a “very important tweeters” database in your organization like they have at Twitter, but you certainly have critical assets to protect. When unauthorized access or credential-escalating is detected by your SIEM, it will escalate the event to D3, which in turn triggers a NIST-based playbook that guides an analyst as they investigate the issue.
Important data to gather includes: who the user is, what are their credentials, and where are they trying to go within the system. If the target is highly sensitive, such as containing Personally Identifiable Information (PII), then the event can be automatically escalated to a senior analyst.
D3 can even integrate with access control systems within your facilities and offices, so when suspicious activity occurs, like someone attempting to unlock a restricted area, an incident will be automatically created in D3.
Our commitment to information security extends to the data within D3’s system as well, using granular role-based rules to restrict who sees what—right down to the level of individual fields on an incident record. This ensures that sensitive information isn’t inadvertently exposed during the investigation.
Maintaining proper information security often extends out into the real world. The fanciest cybersecurity tools don’t mean much when someone can walk right into a restricted area, or keep company laptops and passwords after they’ve been let go. This is why it’s important to have an incident response platform that can help you prepare for, and respond to, the complete range of information security threats. To learn more about the features that every incident response platform should have, check out our Incident Response Buyer’s Guide.