Responding to Security Incidents… Security Incident response is well established. Take this journey through a suggested methodology.
Detection. Here, the existence of a security incident is first realised. It may be manifested in the form of an alert sent from a SIEM (Security Information and Event Management) platform, or notification from an external party. Are you running a SIEM or just hoping for the best…?
Analysis. Indicators of an incident are studied to determine their legitimacy. Often precursors are also studied to see if they’re related. Analysts may need to run further tests and gather additional information to build a more complete picture of the suspected incident. Do you have a Security Operations Centre (SOC) with dedicated analysts?
Prioritisation. In their analysis of the incident, personnel will quickly seek to understand the impact of the incident on the organisation’s capability to continue processing, as well as the impact on the integrity and confidentiality of critical information. Prioritising an incident helps management understand the resources that must be utilised in subsequent steps.
Notification. Incident responders need to notify appropriate personnel within the organisation. The organisation itself may need to notify external parties, such as customers, business partners, regulators, law enforcement, or the public? Typically, a decision to notify any external party rests with a senior executive. Who in your organisation does this? Are the board aware they are responsible?
Containment and Forensics. Incident responders and possibly other personnel begin to take steps to halt the incident in progress and make short-term changes to stop the incident and help prevent it from recurring. At the same time, it may be necessary to begin the process of forensic evidence collection for possible future legal proceedings. Do you have a solicitor that understands this? Do you have the people with the technical skills to unravel this, or know where to get them from? Can you parachute a specialist in at short notice?
Recovery. Here, incident responders remove malware, rebuild systems, recover from backups, patch systems, and take steps to prevent similar incidents from happening again.
Incident Review. The purpose of a post-incident review is to review the steps leading to incident detection, as well as incident response. This helps to identify aspects of incident detection and response that went well, as well as opportunities for improving systems, tools, processes, and personnel training. The idea here is to prevent recurrence and improve response. Would you do this? Who captures the lessons identified and lessons learnt?
Just a few things to think about.