The Alert Logic® ActiveWatch™ services are designed to monitor, detect, and respond to adverse security issues on behalf of our customers. Within this process, there are a number of both automated and manual processes which are supported by our Alert Logic ActiveAnalytics™ platform and our Security Operations Center (SOC) personnel. This document outlines how the overall system and service work and what our standard policy is with respect to handling security events, incidents, escalations, and response operations.
- ActiveAnalytics Platform
- Incident Classification & Escalation Handling
- Required Security Contact Information
An event is an observable occurrence that may imply harm or potential compliance violation as detected by our threat sensors or log collection appliances deployed within the customer's network environment.
An incident is a correlation of events that imply harm to an information system, violate acceptable use policies, or circumvent standard security practices. Alert Logic classifies these incidents into four risk levels: Low, Medium, High, and Critical, as determined by the ActiveAnalytics platform and/or the SOC analyst. Learn more about how best to manage your incidents with our Managing Incidents in the Alert Logic Console knowledge base article.
An escalation is a notification to a customer that there is increased activity that warrants closer monitoring and/or response. In some cases, the ActiveAnalytics platform will "auto-escalate" to customers via email simply for awareness, but in the case of more serious activity, the SOC will email or call the customer directly for follow-up.
Response operations can be automated responses, such as the generation of blocking rules by the sensor to an associated firewall or can be active response and support operations in which our SOC personnel work directly with a customer during an incident.
The ActiveAnalytics platform collects security data from a number of sources across your organization's environment and uses a frequently updated library of correlation rules and machine learning algorithms to identify behavior for security incidents.
Alert Logic ActiveIntelligence™ encompasses the people, processes, and technology responsible for developing and maintaining the security content leveraged by the ActiveAnalytics platform. Security Content Engineering, Data Science, and Threat Intelligence teams tightly collaborate to ensure that the security content leveraged in the ActiveAnalytics platform is keeping pace with the changing security landscape and that feedback from the Security Analyst team is continually fed back into the platform.
Together, the ActiveAnalytics platform and the ActiveIntelligence team save you the large investment of a standalone SIEM solution and your own security research team. To make sense of the massive data Alert Logic collects, the ActiveAnalytics engine processes and normalizes it to uncover security incidents. Valid security threats are vetted and escalated for remediation, which prevents an overflow of false positives and keeps our analysts focused on real, actionable incidents.
Once the ActiveAnalytics Platform has correlated a series of events as an actual incident, it classifies the incident in accordance with the priorities described below. Any incident initially classified with a threat rating of either High or Critical is immediately forwarded to a security analyst in the SOC for investigation.
Incident Classification & Escalation Handling
Low Priority incidents are treated essentially the same as discrete event traffic and are simply logged into the data store. Sometimes referred to as internet noise, these are typically not viewed or acted upon in any way by the Alert Logic SOC. However, they will be visible within the Alert Logic console and users can generate reports showing the status and trending of these issues if desired. Common examples of Low priority incidents include:
- Acceptable Use Policy violations by the customer's employees
- Vendor Scans or authorized internal scans which trigger IDS events
- Untargeted up-host or port scans
Medium Priority incidents consist of activities requiring closer observation and continued monitoring, but don't rise to the level of a real-time response. These types of incidents are typically auto-escalated by default to all pertinent security contacts via email notification. Common examples of Medium priority incidents include:
- Brute force or dictionary attacks
- Automated or drive-by malware infection attempts
- More targeted reconnaissance behavior - simple exploit attempts
- If and when the attacker's behavior becomes more aggressive, the ActiveAnalytics platform will change the priority level and engage SOC personnel directly for escalation to the customer with potential response operations
- This is an example of an incident that can escalate to High or Critical very quickly dependent upon the attacker's behavior and is an area more closely scrutinized and monitored even though it is initially classified as Medium.
High Priority incidents require Alert Logic SOC analysts to proactively notify customers using all provided means of contact information available to us. High priority escalations will result in phone calls and emails to the primary contact. If the contact is not available, the remaining contacts will be notified in the specified order until we successfully reach a designated point of contact. Common examples of High priority incidents include:
- High severity, aggressive, penetration tests
- Larger scale/duration brute force attacks
- Malware Command Control Activity
- Potential Server Compromise - successful SQLi, Webshell activity, etc.
Critical Priority incident escalations follow the same guidelines as High priority incidents, except that they will typically incorporate ongoing direct support from the SOC for the customer for the duration of the incident. Common examples of Critical priority incidents include:
- Information leakage/data retrieval - successful SQL injection that is returning data
- Successful worm propagation
- Problems requiring immediate defense remediation to reduce exposure
- Post-compromise activity - outbound remote shell cmds, attack tool downloads, etc.
Required Security Contact Information
When customers are enrolled in an Alert Logic service, they must provide their Provisioning Coordinator with a prioritized list of at least three security contacts. The SOC can also accommodate specific escalation preferences for partners and customers to assist with service integration to existing processes defined by the client. These customized escalation preferences must be submitted in writing to the SOC for approval and clarification before they can be implemented in the escalation process. Otherwise, the processes and procedures outlined within this article apply.