Even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen. When computer security incidents occur, it is critical for an organization to have an effective means of managing and responding to them. The speed with which an organization can recognize, analyze, prevent, and respond to an incident will limit the damage done and lower the cost of recovery. This process of identifying, analyzing, and determining an organizational response to computer security incidents is called incident management.1 The staff, resources, and infrastructure used to perform this function makeup the incident management capability.

Having an effective incident management capability in place is an important part of the deployment and implementation of any software, hardware, or related business process. Organizations are beginning to realize that communication and interactions between system and software developers and staff performing incident management activities can provide insights for building better infrastructure defenses and response processes to defeat or prevent malicious and unauthorized activity and threats.

Security Incident and Response Management

Download Zip: https://vittuv.com/2vAQZK

This content area defines what is meant by incident management and presents some best practices in building an incident management capability. It also takes a look at one particular component of an incident management capability, a computer security incident response team (CSIRT) and discusses its role in the systems development life cycle (SDLC).

Security incident management is the process of identifying, managing, recording and analyzing security threats or incidents in real-time. It seeks to give a robust and comprehensive view of any security issues within an IT infrastructure. A security incident can be anything from an active threat to an attempted intrusion to a successful compromise or data breach. Policy violations and unauthorized access to data such as health, financial, social security numbers, and personally identifiable records are all examples of security incidents.

As cybersecurity threats continue to grow in volume and sophistication, organizations are adopting practices that allow them to rapidly identify, respond to, and mitigate these types of incidents while becoming more resilient and protecting against future incidents.

Security incident management utilizes a combination of appliances, software systems, and human-driven investigation and analysis. The security incident management process typically starts with an alert that an incident has occurred and engagement of the incident response team. From there, incident responders will investigate and analyze the incident to determine its scope, assess damages, and develop a plan for mitigation.

This means that a multi-faceted strategy for security incident management must be implemented to ensure the IT environment is truly secure. The ISO/IEC Standard 27035 outlines a five-step process for security incident management, including:

While incident response measures can vary depending on the organization and related business functions, there are general steps that are often taken to manage threats. The first step may start with a full investigation of an anomalous system or irregularity within system, data, or user behavior.

For example, a security incident management team may identify a server that is operating more slowly than normal. From there the team will assess the issue to determine whether the behavior is the result of a security incident. If that proves to be the case, then the incident will be analyzed further; information is collected and documented to figure out the scope of the incident and steps required for resolution, and a detailed report is written of the security incident.

If needed, law enforcement may be involved. If the incident involves exposure or theft of sensitive customer records, then a public announcement may be made with the involvement of executive management and a public relations team.

A strong security incident management process is imperative for reducing recovery costs, potential liabilities, and damage to the victim organization. Organizations should evaluate and select a suite of tools to improve visibility, alerting, and actionability with regard to security incidents.

Incident response management is a systematic strategy that allows an organization to address cybersecurity incidents and security breaches. The goal of incident response is to identify real security incidents, get the situation under control, limit the damage caused by an attacker, and reduce the time and costs of recovery.

Incident response management typically includes formal documentation describing incident response procedures. These procedures should cover the entire incident response process, including preparation, detection, analysis, containment, and post-incident cleanup. By following these procedures, organizations can limit damage, prevent further losses, and comply with applicable compliance regulations.

Following are the primary elements of an incident response management program: an incident response plan, a team responsible for incident response, and tools used to facilitate and automate stages of the process.

Incident response planning should specify in detail how your team should perform the following incident response stages, who is responsible for what, and what documentation and notifications are necessary:

Robust incident response management helps security teams stay calm and take the necessary action while the organization is under attack. An important advantage of an organized incident response management process is that it is immediately clear what needs to be done in the early stages of a crisis. Incident response procedures clarify who is responsible for coordinating all resources in the most effective way possible to mitigate the threat.

Postmortem analysis and documentation, after a security incident has ended, is an important part of effective incident response management. It allows employees to turn crisis events into an organization-wide learning experience.

Periodically, the incident response team should perform an analysis of incident response activities and record metrics like the number of incidents per month, mean time to detection (MTTD) and mean time to resolution (MTTR), and downtime rates for affected systems. Tracking these and other relevant metrics over time can indicate the success of the incident response process.

To properly prepare and respond to incidents across your business, your organization must have an incident response team, or an outsourced incident response team from a managed security service provider (MSSP) or managed detection and response (MDR) provider.

Whether in-house, outsourced, or a mix of both, incident response teams include security analysts, engineers, threat researchers, and an incident response manager who is ultimately responsible for managing severe incidents. They work closely with other departments including communications, legal, and human resources.

Cynet provides a holistic solution for cybersecurity, including Cynet Response Orchestration which can automate your incident response policy. Users can define automated playbooks, with pre-set or custom remediation actions for multiple attack scenarios.

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Information security incidents are inevitable. The goal of an effective information security incident management strategy is to process incidents as effectively as possible and minimize the impact of the incident on the institution. If you are just getting started with your information security incident response program, start thinking about the following:

An effective information security incident management program includes 4 basic stages: Preparation; detection and analysis; containment, eradication, and recovery; and post-incident review. The National Institute of Standards and Technology SP 800-61, Computer Security Incident Handling Guide, describes the "Incident Lifecycle" using this flowchart:

There are a number of good industry references for effective information security incident management programs, including the NIST document referenced above and ISO/IEC 27002 domain 16 (Information Security Incident Management). This chapter supplements those resources by providing a high-level overview of incident management approaches from an institutional perspective, a list of recommended tools for incident handlers, links to example practices at selected institutions, and other helpful guidance.

An institution's information security incident response management program is evidenced by policies and incident handling procedures. These documents should be clear and concise, describing the steps all campus members (from end user to incident response staff to leadership) must take in response to an actual or suspected incident. Ideally, these documents are prepared well in advance of being needed. During this preparation stage, the institution identifies the resources needed for incident response capabilities, ensures that it has individuals who are properly trained and ready to respond to information security incidents, and develops and communicates the formal detection and reporting processes to campus.

Thinking about incident response training and education is very important during this preparation stage. Not only do campus end users need to be trained on their reporting roles and responsibilities, but the operational incident response team and campus leadership needs to be trained on their roles too. In some instances, members of the incident response team may require specialized training on using forensics analysis or other data examination and recovery tools.

Designing an effective mean to detect information security incidents is also essential. Information security incidents can be reported by end users, and they can also be detected (and reported) via trained IT personnel. This is why it is so important that all campus personnel be trained on the proper way to report a suspected information security incident. 2ff7e9595c