“Innocent” system outages and destructive attacks often start out with the same manifestation. The phones light up, your support inbox overflows. There is confusion on the NOC and SOC floors - or your cluster of cubicles depending on your organization’s size. A great Information Week article describes the impact of a logic bomb unleashed one morning on UBS PaineWebber:
Rodriguez, who was in charge of maintaining the stability of the servers in the company's branch offices, heard her computer beep. She turned to look at it and saw the words "cannot find" on her screen…
Then she glanced at her phone and saw that 60 calls had come in all at once.
On any other day, she might have two or three calls on hold at one time.
…..
There was "chaos" in the UBS Escalation Center. Systems administrators and other IT workers were streaming into the offices there, asking questions and making suggestions. A room that normally sees six or seven workers was suddenly teeming with 20 or 30 by midmorning.
- https://www.informationweek.com/nightmare-on-wall-street-prosecution-witness-describes-chaos-in-ubs-painewebber-attack/d/d-id/1043991
One of the key questions to ask when systems or the network apparently go down is “are we under attack or is this just an outage?”. Either way you need to get systems back up, but if you are under attack it’s equally important to initiate security incident response measures.
This is just one reason why security folks need access to the same information operations staff have. In fact, don’t forget that availability is actually 1 of the 3 tenets of information security CIA: Confidentiality, Integrity and Availability.
You also need that same system status, availability and performance data when investigating indicators of compromise. For instance, if:
- your SIEM alerts you to an unrecognized process, you need to know how many other systems have that same process running.
- you find new vulnerability exists in a given device driver, which systems on the network have that device?
- your endpoint security solution alerts you to a possible ransomware attack because of high I/O on a file server connected to an unknown process, can you look at the historical performance stats for that server to determine that the alert is just a false positive caused by indexing or backups?
In this real training for free webinar, I will look at the different ways that system status, availability and performance data can be leveraged to investigate security incidents more quickly and more effectively – as well as how having access to both operations and security data are critical during outages to determine if you are under attack.
SolarWinds is sponsoring this training event and Jared Hensle will briefly show you how Server and Application Monitor helps you monitor any application, any server, anywhere – even in the cloud.
Please join us for this real training for free session.