Love them and hate them, tickets are an essential task management tool in tech industry. For many IT professionals ticket management can feel a bit like trying to defeat the Hydra; close one ticket and three more replace it.
This is especially true when using security tools; these days they must come with ticketing built in, but often tickets are autogenerated too aggressively with poor scope and context. The burden of all these tickets of 'urgent' priority reduces your productivity trying to slog through them all, and can make you look bad to your boss as your performance metrics slide.
To help IT professionals be their organization's security hero, impress their boss, and reduce the ticket burden, EiQ has three key tips on managing security tickets based on practices our most security conscious customers implement:
Have you ever had a ticket to complete that was lacking the information needed to get the job done? Or, perhaps, you've had a ticket with a report attached that your SIEM or vulnerability scanner spit out containing way too much irrelevant information?
Truly useful tickets have all the information you will need to research and evaluate the task at hand, and leave out information outside of the scope of your environment. You don't need information on how an incident could affect Windows 10 when you're only running Windows 2012 R2 servers, or how a vulnerability affects CentOS 6 servers when you're running Ubuntu 16.04.
Dealing with security problems requires environmental context to narrow your focus on the relevant details and ignore the irrelevant. Tickets also need business context, with the value of the business assets affected (aka are they critical to revenue generating operations or store/transport sensitive data) and any internal remediation standards set required by compliance frameworks or SLAs. These details help determine the priority of the ticket, and often define a deadline to complete the remediation.
Great incident and vulnerability tickets follow this typical outline:
- A concise, informative title about the incident or vulnerability
- Details about the incident or vulnerability, severity, and priority to resolve and/or deadline date
- Affected machine OSes, numbers affected overall, and business value
- Relevant research links for more research
- Mitigation options
- Proposed remediation and suggestions of how to carry the fix out
- A verification method to check remediation took effect
Making sure this valuable information is in every ticket is key to successful incident response and vulnerability remediation. You will close more tickets with fewer recurring problems, and your colleagues will love working with you as they will need to ask fewer questions.
Before easy-to-integrate ticketing systems like JIRA and Zendesk became widespread, most medium- and small-sized businesses used email to track issues and some still do. Tracking issue resolution and task progress through email often lead to many annoying, "Did you investigate this yet?" emails. Now, ticketing systems are easy and cheap to integrate, but have their own problems, especially when trying to deal with incidents or remediate vulnerabilities.
Tickets often end up with messenger-like conversations shoehorned into article-style comment systems, and task descriptions are not updated to include relevant information from comments. Tickets can often only be assigned to one person, and key parties may not be properly informed of the ticket implications or able to give feedback in an auditable form. IT teams and Security teams are often siloed by their ticketing systems, despite their work being critically entwinned. Being able to audit tickets is necessary; most compliance frameworks mandate having an incident and vulnerability handling process in place. Well done tickets are excellent proof to show any auditors knocking on your doors that you have a process and you are using it.
EiQ has found that customers who treat ticket comments like a dialog resolve tickets faster. Our SOC team has adopted this strategy when helping customers with lower-severity incidents and incident-related remediation. Of course, when incidents are critical our SOC or customer support specialists do not hesitate to pick up the phone and call.
Collaboration on tickets allows jobs to get done faster, and having ticketing built into your security tools, like in SOCVue Portal, helps reduce context-switching while collaboration on incidents and vulnerability investigation and remediation. Ticketing systems in your security tools should support practical security ticket use, or be working towards supporting it.
Ok, maybe this one isn't such a secret, but far fewer people than you might think track ticket metrics effectively. Just tracking opened and resolved tickets per month leaves out so much insight on organization trends, and gives the illusion that all tickets are created equal. Incident tickets should be used to track median or mean time to resolution, incident type trends (is the organization being targeted or attacked in a specific way?), incident rate trends, and incidents per asset.
Metrics on incident tickets help define and assess your risk profile, and can help you build a case for more budget to better secure vulnerable, business-critical assets. Vulnerability ticket metrics help when evaluating your organization's risk profile and show your team's productivity. Good metrics include median or mean time to remediation, severity trends, tickets per asset grouped by severity, median risk score reduction per ticket remediated, and tickets resolved per month per employee ordered by severity. Vulnerability ticket metrics help show the leaders of the organization the value of your remediation work and can justify extra budget to tackle prevention or system upgrade projects. Metrics will need to be tailored to your organization's unique structure and goals, but starting with a few generic metrics will guide the development of those metrics.
With SOCVue Security Monitoring, Vulnerability Management, and Patch Management services, you will be able to close tickets fast. Our SOC team will investigate alerts for you and only open tickets when there is real concern about a potential incident in your network. The Vulnerability Management and Patch Management services enable you to detect vulnerabilities in your organization's systems, and then quickly remediate those vulnerabilities without leaving SOCVue Portal. EiQ is constantly working on facilitating better ticketing implementation to break down the silos between IT administration and Security, so customers can do both better.