Alerting: Using intelligence to drown out the noise
Just think about the number of alerts you get in a day. Chances are your day starts with an alert, notifying you that you need to wake up, and they just keep coming. Whether it’s emails, weather, travel, social media – notifications are designed to interrupt, remind, and prompt. They can be extremely useful, sometimes invaluable – but alerts can easily become one small beep in a cacophony of noise, especially if they’re not relevant, intelligent, or required.
A few months ago, we added on-event email alerting to our Office 365 security module, Radar for Security & Audit (formerly Cogmotive Discover & Audit). This feature enables you to set up customisable alerts for specific activities within the tool, for example – you might want to know when a certain user performs an action, or when a specific document or folder is modified or downloaded.
When we developed alerting, we were keen to ensure that our alerts could be refined to suit your exact needs. It’s relatively easy to add alerting functionality to an application or system, but it’s much more challenging to create alerts that can be intelligent and customisable. We didn’t want our email notifications being redirected straight into another inbox folder, where they could be easily ignored – we wanted them to be used proactively as part of an effort to improve security, investigate potential threats or data loss incidents. That said, to get relevant, useful security alerts, it takes a little bit more intelligence and customisations on both sides: the feature, and the creator.
The example below is an alert configured for document modification. In the filters section, the action ‘File modified’ has been chosen, and the file keywords (containing ‘Cashflow Forecasts’) has been set. You could create an alert with these specifications, but it would mean that you would get notified whenever anyone modified this file (whether they are sanctioned to do so, or not). It’s useful, but it could be even better with further precision – here’s an example.
Neida is your company’s Director of Finance, she regularly creates and accesses confidential financial documents, such as Cashflow Forecasts as part of her role. If you modify the Audit Timeline view to see who modifies documents containing ‘Cashflow Forecasts’ in their file name, there are 7 events, all generated by Neida.This view shows that only the person who should be accessing this file is doing so. If you want to know when anyone other than Neida, or other members of the Finance team, modifies this file, you can fine-tune your alert to exclude any modifications by Neida and her team – just build on to the configuration above, by toggling on ‘exclude these users’ and entering their email addresses.This is a simple addition which filters out inevitable noise from your alert, and allows you to be a little more targeted in your configurations. It is also one quick example amongst the countless customizations available for alerts within Radar for Security & Audit.If you want to see more detailed examples of how to set up intelligent alerts that could help you improve security, make sure you don’t miss our security-focused webinar tomorrow. Radar Reporting Product Owner Doug Davis will be presenting a session on Radar for Security & Audit that will explore how to develop a strong security practices for both active and passive threats, and how alerting can form an integral part of this strategy.
This webinar has already taken place, but don’t worry – you can access the on-demand recording here.