This document describes a Lean project to reduce security incidents reported by an SSIM (security information management) tool. The goals were to identify and reduce incidents, monitor all categories of incidents, and improve tool performance. Initially about 20,000 incidents were reported monthly but only 2 resources could analyze them, leaving many unreported. Through mistake proofing and eliminating waste (muda), redundant rules and incidents were removed and authorized devices were whitelisted. This reduced reported incidents from 550 daily to about 30, allowing full monitoring and RCA. It saved over 970 hours of analysis time per month, avoiding over 5 full-time employees and $290k in costs annually while improving compliance and productivity.

1. SAGNIK PAL
PROGRAM MANAGER,
IT Services, INDIA
: sagnik.pal@gmail.com
: http://in.linkedin.com/in/sagnikpal/
LEAN PROJECT: INCIDENT
REDUCTION
20% 20%

2. Business Case:
< --Customer omitted--> uses SSIM (Symantec Security Information
Manager) tool for Security event correlation. Different categories of security
incidents are reported on a daily basis from the Entire Network
infrastructure.
The number of incidents is approximately 20000 per month
Problem Statement:
• Analyzing of all Security Incidents and reporting is not possible with only 2
resources, lot of genuine incidents are not being reported and further
remediated.
• Other category of Security Incidents are going unreported
• Drop in performance of SSIM due to High Database utilization
• Unwanted escalations due to False Positives
Goal Statement:
• Identify and reduce security incidents in all categories
• All categories of security incidents to be monitored
• Improve the SSIM tool performance & database utilization
LEAN PROJECT OVERVIEW
Business:
< - - Omitted - - >
Stakeholders:
< - - Omitted - - >
Metrics Impacted:
Alerting of Critical Incidents
Methodology Used:
Mistake Proofing, MUDA
In scope:
Monitoring of Security incidents
Out scope:
Remediation of Security incidents
Improvements:
False positives eliminated and only genuine
incidents reported that are monitored and RCA
identified for each incident

3. Post Lean Process:
• Reduction in number of security incidents reported
• RCA can be provided for all incidents in top 5 categories
• Better FTE Utilization with focus on all Security incidents
• Most False positives eliminated
Advantages:
• Reduction in False positive alarms
• All Incidents can be monitored due to lower volume
• RCA for all security incidents and status Report – Timely
Fashion
• Time Reduced for monitoring all incidents and maintaining
daily tracker
Lessons Learned:
False Positives can be kept to a minimum if we fine-tune
rules/queries and exclude authentic devices. Saved time can
be used for value added initiatives in the process.
MUDA in Monitoring can be avoided by simple tweaking and
customization of monitored parameters
Pre Lean Process:
• Many security incidents were unreported
• Difficult to monitor huge volume of security incidents under
all categories on SSIM
• Delay in monitoring due to drop in system performance
Implementation Details:
• Redundant Rules and incidents were deleted
• Authorized devices were white listed, rules were
tweaked/fine tuned to get genuine incidents
• Increased rigor in remediation of infections and follow-up
for installation of patches
Process Controls:
Daily monitoring of all incidents
What is a False Positive in case of Security Incidents?
Any Official ISS Scanner / Qualys / ITAM / CA Unicenter
servers being reported as a malicious source carrying out
Intrusive scans on the network
LEAN PROJECT DETAILS: INCIDENT REDUCTION

4. Pre Lean
3 Mins
2 Mins
5 Mins
Incident
Count =550
Post Lean
Incident
Count =30
LEAN Action : Exclusion of all Official Vulnerability Scanners / ITAM / CA Unicenter servers from respective Rules
Still 30 incidents occur due to either genuine cases or any new servers introduced
E-mails are
sent only for
genuine
incidents
which is 5
VALUE STREAM MAPPING
Send email for incidents with details
Identify if it is a genuine incident
Monitor the incidents
Logon to Jump Box
As per daily task list, need to
monitor SSIM for incidents
START
STOP
3 Mins
2 Mins
5 Mins Send email for incidents with details
Identify if it is a genuine incident
Monitor the incidents
Logon to Jump Box
As per daily task list, need to
monitor SSIM for incidents
START
STOP

5. The Seven Deadly Wastes
Motion
Defects
Inventory
Transportation
Overproduction
Waiting
MonitoringProcess
Product
People
Pre-Lean Post-Lean
550 incidents per day pertaining to
different categories which is a high
volume
Entire shift spent on the monitoring
of all the security incident
Incidents out of any Official ISS
Scanner/ Qualys, ITAM / CA
Unicenter servers being reported as a
malicious source carrying out
Intrusive scans on the network are
eliminated, resulting in only few
incidents
Misses in monitoring of all other
security incidents
Timely monitoring and RCA for all
security incidents
Total time spent per day = 545*5 +
5*10= 2775 man mins
Total time spent per day =
25*5 + 5*10 =175 man mins spend
per day to monitor all incidents
MUDA ANALYSIS

6. Pre LEAN Post LEAN
Item Time in Hrs
FTE Available time per month (22 * 8) 176
Time Spent on incident analysis per month (Pre
LEAN) 1035.98
Time Spent on incident analysis post incident
reduction per month (Post LEAN) 64.24
Effort Saved out of LEAN (Hrs/Month) 971.74
FTE saved 5.51
Cost Savings on FTE Avoidance per annum $ 291522
Compliance : Better focus on analyzing all threats /security incidents due to elimination of false positives
Productivity Saving : 971.74 hrs/month
Item Time in Hrs
Average no. of incidents per day 550
Time taken for analysis of 545
incidents (545*5 mins) per day
46.25
Time taken on sending mails for
genuine incidents (5*10 mins) per day
0.84
Total Time taken per month (22*47.09
hrs)
1035.98
Item Time in Hrs
Average no. of incidents per day 30
Time taken for 30 incidents per day (25*5 + 5*10) 2.92
Total Time taken per month (22 * 2.92 ) 64.24
BENEFIT QUANTIFICATION

7. QUESTIONS / FEEDBACK
If you have a question or a feedback related to
LEAN Implementation, do write to Sagnik Pal at
sagnik.pal@gmail.com

8. Thank You