Security incident calculators

Security incident calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated.

The Security Incident Response base system includes the following security incident calculator groups and calculators. Within each group, the first calculator that matches the conditions will run.

Table 1. Security incident calculators in the base system
Security Incident Calculator Group Name Calculators included in group Description
Business Criticality Aggregate from Severity Calculators This calculator delegates to the Security Criticality Calculator that determines criticality by weighing the values of other fields.
Severity Business Impacted This severity calculator defines its selection criteria using a simple condition builder.

If the affected resource in the security incident is associated with the Sales, Finance, or HR business units, the Severity field will be elevated to 1 - High.

Critical service affected This severity calculator defines its selection criteria using an advanced condition.

If the affected resource in the security incident is associated with a highly critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator.

Critical service changes This severity calculator defines its selection criteria using an advanced condition.

If the security incident meets the conditions, a script runs to define what levels the fields should be elevated to. If the affected resource in the security incident is associated with a most critical or somewhat critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator.

Multi Attack Vectors This severity calculator defines its selection criteria using a simple condition builder.

If the affected resource in the security incident is associated with web, email, and impersonation attack vectors, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator.

When you create a new security incident, the Risk, Impact, Priority, and Severity fields contain default values. When you save the incident, a business rule automatically validates the information in the security incident against conditions defined in each of your active severity calculators. They are validated one security calculator at a time, in the order defined by the Order field in each calculator. If information in the security incident matches the conditions defined in one of the calculators, the severity field values are updated accordingly to the rules set up in the calculator.

For example, assume you create a security incident for an affected CI, and the CI is highly critical. When the security incident is saved, the CI information is compared to the conditions defined in the severity calculators. When the security incident is validated against the Critical service affected severity calculator, the severity fields are automatically updated, and a message similar to the following appears at the top of the security incident.

You can use these severity calculators as is or you can edit them to more closely meet the needs of your business. For example, if you want to identify web and email threats that are specific to the Finance business unit, you can make these changes to the conditions of the Multi Attack Vectors calculator:
  • [Attack Vector] [contains] [Web]
  • [Attack Vector] [contains] [Email]
  • [Business Unit] [contains] [Finance]

You can also update the severity values in an existing security incident at any time by opening the record and clicking the Calculate Severity related link.