How to be ahead of Outbreaks!
There are two common checkpoints that security administrators or managers inspect a computer or a host for evaluating the security well being. The first stage is the periodic report analysis, which is performed on monthly or weekly basis as the security evaluation meetings, and the second stage is at the disaster time or when an incident actually occurs on a service or computer. However, concerning major services and critical servers, there should be an in-between level prior to the service or host crash. This intermediate time is called as Outbreak Period.
Outbreak period happens in the elapsing time in which an Event is going to turn to an Incident. In this portion of time, our protection systems function and block the threats and therefore there will be series of event occurrence logged in our monitoring system which as said above, will not be checked until there is a failure in the service or it is reported in the monthly or weekly inspection.
Old School Method
Obviously, It is not possible to check and be sensitive on every and each events happening on a server or especially on the entire network. However, when an attack or incident is targeting and threatening our resources or assets, there should be a mechanism to alert us before it can defeat our defensing system.
A simple method can be to define an alerting system, which notifies us on one by one of the events. This solution can be beneficial on very sensitive services or highly classified servers, but on large-scale cases like the whole network or more versatile servers with more frequent event occurrences, this solution will not be that effective to mitigate an outbreak.
Outbreak Characteristics
Characteristic of an outbreak consists of the number of events occurring in a certain period of time that an asset or a resource can tolerate. According to this definition, our protection systems should be prepared to alert us when the number of an event per defined period is reaching the tolerance level. Normally there will be several different notifications created for different servers or services.
SEP Solution
Utilizing the Symantec Endpoint Protection notification management feature, you can create an outbreak notification to be sent to your mailbox and be notified when there is an irregular growth in the number of events on your network or any host or computer.
The configuration is quite simple. As an example, we plan to create an outbreak notification for our SQL server, which in normal circumstances we don’t expect more than few incidents to be detected on it in a week. We plan to create an outbreak notification that notifies us if there are more than 50 incidents happening in an hour, which is a considerable number of events on a SQL server in one hour.
Since we may have several other outbreak notifications, after naming our notification we need to define on what source or sources this rule should be sensitive. For instance you can define this rule should be active on the whole Servers group or the Accountants group, but in our case we just fill out the computer name which is SQL-Server. If you want to isolate the notification on a certain risk, you can mention the name too.
In the second section, we define the sensitivity functionalities. The outbreak type can be:
- All
- Category 5 (Very Severe)
- Category 4 (Severe) and above
- Category 3 (Moderate) and above
- Category 2 (Low) and above
- Category 1 (Very Low) and above
- Unknown - Unknown risks are the risks that Symantec Security Response has not rated
In normal situations, the Category 3 can cover most of the cases. However, your choice may vary due to the criticality of the service or server.
For the scan type you can choose:
- All
- Scheduled scan
- Manual scan
- Auto-Protect scan
- SONAR
- Console
- Definition download
- System
- Startup scan
- Idle scan
- Manual quarantine
It is recommended to keep it as All since it really doesn’t matter what has found the risk and we just need to be notified of the outbreak occurrence.
When you set the Action Taken on the Risk Outbreak, you can configure the Notification Condition to trigger a notification based on the number of events and the tolerance period. Which in our case we define 50 occurrences in 60 minutes.
The final option you should consider is the Damper, which specifies the period for aggregating the events into a single event to prevent bombarding your mailbox with notifications and keep the notification more comprehensive.
Final Word
Take into consideration that there is no certain recommended numbers or period for outbreak notifications. Each server and each service might require specific outbreak consideration. However, once you have configured the outbreak notifications, they can last for long and save the servers from attacks and incidents, and of course prevents embarrassing numerous ignored security events in the monthly security evaluation reports and meetings!