As we work with more and more network providers (ISPs and hosting providers) and their abuse desk(s), it is becoming clear that we have stumbled upon a larger industry question: “Are network providers (ISPs and hosting providers) focusing on the best types of abuse to keep their networks as safe as possible?”
If we look at the broader question of Security Operations Centers (SOC) and abuse management and ask, are network providers:
- Tagging and filtering incident reports by the type of abuse? Can Network Providers easily filter abuse reports by incident type so that they can prioritize their efforts effectively?
- Identifying the subscriber automatically for every incident? Are Network providers automatically identifying all abuse report incidents by the subscriber account associated with the incident, so the provider can directly address the underlying root cause with the subscriber running that instance? Or is the network provider manually matching subscribers to 20% of their inbound abuse reports?
- Grouping all subscriber incidents into a single case? Are Network Providers tying all subscriber incidents together under a single case ID to understand the entire scope of each subscriber with an issue, thus allowing them to craft the best customer response?
See also: The Processes Behind Improved Network Security and Effective Abuse Handling.
SOC and Abuse Desk Management Best Practices
Let's drill into these three best practices to understand why they are critical cybersecurity paradigms for SOC and abuse management best practices.
Tagging and filtering incident reports by the type of abuse
Example
Hypothetically, what if you received 14,000 reports about spammer? In that case, should you handle those spam messages (using the weight of 14,000 reports) before addressing a single reported instance of a phishing attack?
Sometimes, it makes more sense to clear out the most significant volume of incidents first, but that's precisely how ransomware or child exploitation reports often slip through the cracks.
If you have report filters by abuse type, you can see where to prioritize your response efforts.
Tagging and filtering incident reports by the type of abuse ensures proper prioritization of effort.
Identifying the subscriber automatically for every incident
Example
What if a subscriber installs a WordPress plugin and receives an automated abuse alert from you, 15 minutes later?
With a rapid reaction time, your subscriber is more likely to connect the two events and solve the problem independently. However, if a message is sent manually by an agent 1-3 days later, the subscriber may not make the connection between the plugin installation and the abuse alert.
While there will always be some tasks that have to be handled manually, it is recommended to minimize the number of manual tasks as much as possible. In addition, sending automated email alerts to subscribers quickly prevents volumetric abuse before it even starts.
Identifying the subscriber machines and accounts associated with each incident you receive lets you address subscriber problems quickly before they grow.
See also: How to Avoid Your Service Provider Becoming a Haven of Network Abuse.
Grouping all subscriber incidents into a single case
All your efforts should be prioritized based on the safety of your organization, the internet, and your subscribers'.
Subscriber incidents are organized by automation and pulled together under a single case ID allowing you to quickly understand the entire scope and lifecycle of each subscriber with an issue, make smarter decisions regarding prioritization and craft the best customer response.
How easy is it for you to see at a glance:
- Severity of incidents
- Frequency of incidents
- Volumetric activity
- History of actions
Example
When you receive a copyright report, is it the 3rd or 6th report or strike?
Are you protecting your safe harbor by restricting bandwidth or terminating service after five previous notices to the subscriber or is this a manual step?
Understanding each case in detail, allows you to better quantify each threat and begin to measure how fast subscribers resolve different types of issues. By applying this feedback loop, you can iterate and automate critical processes further, and craft better customer notifications.
Need help?
If you are an ISP or hosting provider who:
- Cannot automatically tag and filter reports and their incidents by the type of abuse.
- Cannot automatically identify the subscriber machine and account associated with every incident.
- Cannot tie all subscriber incidents together under a single case ID.
Then, the bad actors likely have more control over machines in your network than you do.
If you want a streamlined, simple-to-manage SOC and abuse desk, and improved safe harbor, contact us at [email protected] to learn more and arrange a trial of AbuseHQ.