Incident Management - Lumu Portal

Incidents

Effective incident analysis is at the core of proficient cybersecurity operation, for that reason, the Lumu Portal offers a centralized and intuitive way to manage your incidents, track their statuses, and review which incidents have been solved—for simpler and faster activation of response processes.

In this view of the Lumu Portal, you can stay up to date with and manage incidents in an easy-to-read dashboard with details on the activity and distribution of the Indicators of Compromise (IoC) that Lumu has identified in your organization. 

What is an Incident?

According to NIST, an incident is an occurrence that results in actual or potential exposure of the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits. 

Lumu groups related adversarial activity and displays them as a single incident so you can focus on solving specific occurrences without getting lost in a sea of apparently unrelated malicious contacts.

Incidents Operation

In this section of the Lumu Portal, you have a summary of the accumulated adversarial activity, such as the number of Open Incidents (1), Total Contacts (2), Endpoints Affected (3), and Affected Labels (4). On the right hand panel, called Operational Metrics, you will find the number of New Incidents (5), Closed Incidents (6), Muted Incidents (7), Average Daily Incidents (per week) (8), Mean Time To Respond - MTTR (9), and Average Resolution Time (10).

For Lumu Defender customers, the panel offers details on one of Lumu Defender’s additional features, Automatic Response. These are Total Incidents Automatically Responded To (11), and New Incidents Automatically Responded To (12).


Incidents Details

For each incident, you have the number of labels and endpoints affected and the total of contacts from that adversary. You can navigate this panel using the State of Incident filter (1).

These are listed in order as Lumu gathers and categorizes information and displays them in the Lumu Portal for you to analyze. You can filter incidents by threat type, number of endpoints affected, label, date of creation, or if it is playback related. For further reading on all the available filters, please refer to this article.

Lumu Defender customers can see whether or not the incident has been automatically responded to by the Automatic Response feature, and its current status.


Labels

Labels allow you to categorize and filter your traffic by geography, network segment, device, domain, critical assets, or as needed. Each label’s importance is unique for your organization. That’s why labels include a business relevance option to help you make faster, data-supported decisions.

Labels are a very powerful tool to classify and sort incidents.To use the full potential of Lumu's incident view, we strongly recommend reading our Labels article to learn more about this feature. You can find it here.

Incident Details

Clicking on an Incident, you will see the following panel. Here, you will see a general description of the Incident (1), its status (2), and the activity surrounding that Incident. For a more in-depth view of this panel, consult our Incident Details article.



On the right, you will see the Operation Timeline , detailing the actions that have been taken by your organization regarding a specific incident in chronological order, with the most recent interaction at the top..

Here, Lumu Defender customers will find which integrations had an active role in the Automated Response process.

 

Take Action

By selecting this option, you will be able to see the different stages an incident is in, and begin the process of tackling the incident based on the stage of your organization’s response. 

In the next section, we will learn about these statuses and how they are used. 

Incident Management

By default, each new incident will be categorized as “Open”, which in itself can be “Open Pending” or “Open In Progress” depending on whether or not the incident is already being evaluated.

 For each incident, you have the option to mark it as “In Progress”, close it, or mute it, as well as to download the incident’s information as a STIX report. You can also access this menu by using the Take Action option in the Incident Details view.



The following figure represents an Incident lifecycle in the Lumu Portal:

Mute Incidents

Use this option to stop new notifications of contacts from a specific adversary. First, you must select a reason to mute the incident. Here, you can choose whether to flag it as not relevant for your organization or to report it as a false positive . If you report it as a false positive, you must provide all the details and supporting evidence for why you believe it to be a false positive.

Once an incident is reported as a false positive, Lumu will investigate it and answer accordingly. Be aware that all incidents from the reported adversary are automatically muted when reported.

Be aware that this option applies to all further malicious activity from that adversary. Contacts from this adversary will continue to accumulate, but your company will not receive any further notifications.

When selecting this option, you will be requested to leave a comment informing the reason you are taking this action. The comment will be recorded, stored in the incident and shown in the Operation Timeline, then, the incident will be moved to the “Muted” tab.

Unmute Incident

Use the option to unmute an incident that was marked as muted. 

This option is available only for muted incidents. After closing an incident, it can not be reopened.

When unmuting an incident, please leave a comment listing the actions taken or any information related to the incident unmuting. That comment will be recorded, stored in the incident and shown in the Operation Timeline, then, the incident will be moved to the “Open” tab. 


Close Incident

Use this option to mark an incident as closed after you finalized working on the case. 

This action can not be undone. After closing an incident, it can not be reopened.

When closing an incident, please leave a comment listing the actions taken or any information related to the incident closure. That comment will be recorded, stored in the incident and shown in the Operation Timeline, then, it will be moved to the “Closed” tab. 

Incident Response

We recommend being familiar with Lumu’s Incident Response Playbooks that are based on the National Institute of Standards and Technology (NIST) Framework and include best practices for how to use Lumu to respond to specific attacks.

Know more about the Lumu Portal:


        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Lumu Email Intelligence

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Lumu Autopilot

          In today’s rapidly evolving digital environment, prompt and effective responses to security threats are essential. Lumu Autopilot simplifies the entire incident management process, reducing human error and optimizing resource allocation. By utilizing ...
        • Lumu Playback

          The cybersecurity industry has developed numerous methods to defend against zero-day threats and emerging attacks. However, many attacks still slip through undetected due to the increasingly sophisticated evasion tactics employed by cybercriminals. A ...
        • Lumu Portal Two-Factor Authentication

          The Lumu Portal offers secure login alternatives through the use of two-factor authentication (2FA), in this case, One-time Password (OTP) on top of your account password. You can use the Authenticator app you prefer, such as Google Authenticator and ...