98% of all cyber attacks that target enterprises originate from organizations that could prevent many with proper abuse management. Unfortunately, numerous of those organizations do not take Abuse Management seriously. In many cases, it is simply a lack of understanding or having overconfidence in existing tools or homebrew a few Perl or Python scripts.
Establishing new or changing existing processes is still a significant issue for companies, especially if understanding what's needed is missing or vague.
Companies usually understand the Sales processes and use CRM systems to improve the visibility and ease of use. Companies also understand the development process and use systems like Jira. Security teams use SIEM or SOAR or XDR or whatever the latest acronym is, depending on when you read this post in the future. Abuse Management usually does not get tools. They are often asked if tools even exist, since most teams work in old ticketing systems and with homegrown tools.
Even if management agrees to get Abuse Management teams the tools they need, another worse problem occurs if they believe that everything an Abuse Management Team needs can be squeezed into software that does not have the required capabilities. The best examples are SOAR Platforms or Splunk in general. And don't get me wrong, those tools have their right to exist and can be very well integrated into an abuse management system, but they cannot replace it.
But what are the core requirements?
Data
Let's start at the beginning where the Abuse Management process starts. Abuse Management is not a security or a network issue. It is a data issue! Abuse Management is about detecting abusive behavior or problems, like vulnerabilities, that might become gateways for abusive behavior.
Compared to Enterprises, where computers are heavily controlled and managed by the IT Security Team, Service Providers are not allowed to install software or updates on our home computers or sniff our traffic to find issues. That's why concrete data from actual abusive behavior is so important. Actual abusive internal data as well as 3rd party data feeds, like Shadowserver, are the two most common data sources. Those external Data Sources are essential because they are also used to define your network reputation.
In a more advanced state, internal data can play a huge role in your day-to-day Abuse Management, mainly because it should be highly trusted and well-understood.
But more importantly, instead of just sitting on the data, make sense of it and identify the customer in your network who is responsible for it. This resolution process is the most critical step because your goal should be to stop the abusive behavior as quickly as possible, which will become significantly more challenging if you do not know who is responsible. In other words, you need data that is actionable.
Now that we know who to talk to, what's next?
Aggregation and Prioritization
Now that we know which customer is responsible for every incoming event, we want to bundle those events and package them into some structure, like tickets or cases. Building those cases and aggregating different events into them is very important because it ultimately shows you your actual workload. It doesn't matter if you receive 1000 or 100k events per day if, in the end, the amount of cases that need attention is the same. Once able to handle all the incoming data with a proper solution, the higher amount of data is preferable because it will bubble up issues faster, depending on your chosen prioritization. But prioritization does not, and most of the time is not based on the number of events per case.
This measure is usually only used initially because it's a simple way to prioritize. Later, prioritization should be based on your business case and the (legal) risk exposure you want to manage. As a big mail operator, spam and compromised accounts will most likely be higher on your list than other types of abusive behavior. At the same time, as a Hosting Provider, Copyright/Trademark Infringement and illegal materials, such as CSAM, will most likely be higher on your list than classic spam from your hosted network.
Automation
While aggregation is a critical topic, the importance of prioritization can be reduced by automation. Prioritization might only play a significant role at the very beginning of your journey while setting up your initial automation for your most important issues. Once your automation is in place, you just need to prioritize the rest that is not automated.
Automation can be essential to your Abuse Management efforts, but automation is not always necessary or possible. There might be cases where the effort to automate is higher than the benefit. In some cases, you might have to involve other teams like legal, where automation will become more complex than handling cases manually. Your best option is to have a solution that can partially automate your processes.
A huge benefactor of automation that is being missed many times is the fact that it improves speed. But why is speed critical?
Think about a straightforward automated process. You have a customer for whom you’ve received a few reports about spam coming from their server or home computer. They might have installed a new WordPress Plugin or clicked on a suspicious attachment in an email. If you send both of them a notification email five days after you saw the first events coming in, they have absolutely no idea that the WordPress Plugin or that weird email they clicked on might be connected to that issue. If you email them within a few hours, that connection might save you a lot of explaining. But even more importantly, it helps your customer fix his issues faster, reducing the harm being done. As a cherry on top, we have seen a significant reduction in support tickets when customers are being informed immediately, saving you resources and, ultimately, budget.
Conclusion
Running your Abuse Management on old homegrown or non-fitting tools is not only harmful to your business but also will frustrate your employees. Finding the right way to build or improve your processes is not always easy, but it can be done faster and more resourcefully with the right data and the right tools in place.
Data – Aggregation/Prioritization – Automation is the trifecta that will make the difference. There are obviously plenty of other nice-to-haves, and helping functionalities will improve your day-to-day work and make your job easier and more successful, but starting with the basics and building up from there is the way to go.