Monitoring and response to incidents
“Fires are extinguished in winter.” We've heard this phrase on more than one occasion, and it's almost always used after a major, catastrophic fire that could have been avoided or minimized if prior work had been done on prevention and preparation.
The answer to cybersecurity incidents there is also that “work it in winter”. Any response to a cybersecurity incident puts a strain on all teams involved, especially incident response teams and the IT teams that provide direct support.
Just like fighting major forest fires, preparation and pre-emptive work are key to resolving an incident in the shortest possible time and with the least possible impact.

Conflicts on traditional battlefields
Within the chapter of prevention and preparation for facing an incident, we should take into account:
- Firewall (segmentation, compartmentalization, isolation).
- Cleaning and hygiene (bastioning, system operation processes, configuration review).
- Early warning mechanisms (probes, monitoring events, alerts).
A large forest fire without a firebreak will burn out of control, burning everything in its path. Establish properly isolated segments and zones, will help prevent the uncontrolled spread of the fire, as well as the security incident.
In the case of forest fires, firewalls, as well as the forest itself, must be as clean as possible to avoid fueling the fire (burning material or systems or platforms where vulnerabilities or misconfigurations can be exploited) and to allow the firewalls to do their job of preventing its spread.
In the digital case, we'll talk about hardening and cyber hygiene (for this article, I'll include patching in this section). When we encounter systems that aren't properly configured and where minimal cyber hygiene isn't maintained, in the event of a cyber incident, these systems will be the oxygen and fuel for the fire to continue spreading and damaging our infrastructure.
Early warning
The last point is early warning (watchtowers). To combat a fire or cybersecurity incident before it becomes unmanageable and turns into a tragedy, we must know what is happeningEarly warning helps us know where an incident is starting and direct containment and response measures.
In the case at hand (cyber), the Early warning plays a fundamental role And we can find it in different forms, but the vast majority are concentrated in a central system that collects different sources of information from which to automatically infer whether a notable event is occurring and launch an alert or not.
Nowadays we can find different acronyms and very similar technologies, but if we talk about SIEM – for its acronym in English: Security Information and Event Management – we all know that we are talking about monitoring and, by extension, event logs and alerts.
The foundation of any security architecture is monitoring. Monitoring of the infrastructure itself and the systems to be protected, as well as monitoring of all deployed security elements.
These security elements, beyond their defensive function, are "probes" that alert us to attacks or threats that are materializing. Active monitoring of these elements, as well as correlating events to determine if a threat is occurring, will give us visibility into which systems are under attackIn our forest fire analogy, we would have visibility into the areas where a fire is starting, or where all the factors for one are occurring.
False positives
I open a parenthesis at this point to talk about the false positivesAlthough technologies increasingly allow for more detailed and precise analysis of information, and security systems, which act as probes, are becoming more precise, those of us who design and operate a monitoring system face a non-trivial problem: false positives.
In a hyperconnected world, where technological globalization reaches every area and location, monitoring systems must deal with millions of events and conditions to determine whether something appears malicious, is malicious, or isn't, along a thin, fuzzy line of grays. Therefore, managing false positives is one of the key elements.
And this is where automation comes in. Initially, as a method to automate the first level of alert management, reducing the number of false positives, automatically contextualizing threats, and triggering positive response processes without the need for human intervention, thus providing monitoring and alert systems with both defensive and offensive responses.

The term SOAR – from English: Security Orchestration, Automation, and Response – widely known and with more than one variant, it allows for a qualitative leap in incident response, providing teams with greater control over incidents, response procedures orchestrating multiple security devices, and the ability to automate for immediate response time.
And this is where we can say that we've been preparing for the wildfire campaign since winter, and that our security operations and incident response teams are now ready to resolve any incident with minimal consequences. But we'll address that next time.
Learn much more in our Professional Master in Cybersecurity, Ethical Hacking and Offensive Security.