The MDR Incident Management process is designed to address reported threats that pose a risk to the client's environment and to make sure it's handled. When the Security Operations Center (SOC) create an Incident Report ticket, it will remain open until the client reports back that the threat had been handled and risk mitigated.
The more information included in a security incident, the easier it will be for the client's security staff to understand and mitigate the threat, so the SOC will create a detailed Security Incident Report. The SOC also recommend you to feedback information on your handling since this could improve future security incidents from the SOC and your own handling of them.
Below is a description on how Samurai SOC performs Incident Management when relevant threats are detected and how the Security Incident life-cycle will be managed.
Security Incident life-cycle:
The Incident Management process starts with an alert from a High Value Detection source (EDR, IDS/IPS, NG-FW, CTS, etc.) or from NTT Security Log Analytics engine RTCE (Real Time Correlation Engine). In both cases, the alert is presented to the the Analyst in the Samurai platform. Another possible trigger for the incident management process could relate to a known high risk global security incident or threat, for example Log4shell or SolarWinds. In this instance, the Analyst will start Retroactive Hunting in available telemetry data to search for indicators of compromise (IOCs) to determine if the client has been affected by the newly discovered global threat.
Once the Analyst receives the alert, they will start to analyze the threat through investigation process that includes reviewing AI/ML correlations and performing threat hunting across all enrichment data, log data and older security incidents. In some cases, the Analyst will also try to recreate the threat in the SOC malware lab.
The Analysis phase can be time-consuming, but the purpose is to find attack vectors to first verify how the attack has affected the client and how the threat can be mitigated. The more detail is known about a threat, the easier it will be to mitigate. However, if the SOC observes that the threat is actively damaging client systems or leaking client data, an initial and expedited Security Incident Report will be created to inform the client so that client assets can be protected. The SOC will then update the initial Security Incident Report with all needed threat details.
When a new report is created it will be made available in the Help Center in PDF format along with an automated email notification sent to the predefined email addresses (collected in the onboarding phase). The email will contain key information such as severity and title, a link to the Help Center and a copy of the PDF. The initial Security Incident Status is set to Awaiting your reply. If the Security Incident severity is critical, the SOC will also call the client.
When creating the Security Incident Report, the SOC may perform remote isolation of infected client endpoints using the client's EDR. The SOC will also include a recommendation weather the client should engage your Incident Response Team (either you have an internal team, NTT is providing or a 3rd party). If further remediation the client can also engage NTT Incident Response Team providing this service has been included in the MDR contract.
Once the client is informed by a notification email (or telephone call if severity is critical), the ticket will enter the handling phase.
The SOC will also include recommendation (actions) in the ticket for the client to perform. Additional questions can be asked by the client in ticket. To add feedback or comments, click on the Add to conversation field in and enter your feedback or questions.
Once the client clicks "Submit", the ticket state is updated to Open, meaning the next action is on the SOC. The SOC will respond to your question or feedback. You can still add feedback and questions even if state is Open and next actions are with the SOC.
To ensure that a critical or high severity Security Incident is progressing towards closure, you will get email reminders after 3 and 7 days without any actions on the ticket. As long as you are an authorized Help Center user, you can also respond via email and your feedback will be added. If you are not an authorized user, your email will be rejected.
As long as the SOC is working on a response to your questions, the ticket state will be Open. When the SOC responds, the ticket state will be put back to Awaiting your reply. If the SOC detects that a new or existing threat re-emerges or there is new vital information, the Security Incident will be updated, even if it's in an Awaiting your reply state.
When the risk has been mitigated or the client has accepted the risk (e.g. managing the threat), the client needs to request the ticket to be closed. This decision is based on the client's assessment that it has taken sufficient action to mitigate the risk and is now comfortable with closure of the incident. The SOC will then set the ticket to Solved, and if no objections (comments or emails), the ticket will automatically be Closed after 10 days. Once a ticket is closed, it will not be re-opened. A ticket is considered handled when it's closed. In the event the SOC receive feedback to close the request during an open investigation, confirmation of the request will be included in the ticket details.
If the SOC don't receive a closure request from the client, the security incident will be kept active and in Awaiting your reply state. There will be notifications at both day 3 and day 7 without any feedback, and the SOC will present and go through all of the non-closed security incidents in the regular Threat Review Meetings. This to ensure client handling on all reported threats and risk, If the SOC has gotten no feedback, this could mean that the threat is still present and active, even though it was reported months ago.