Incident Response (IR) Revamp
Introduction
Incident response (IR) refers to a structured approach that manages and addresses the impact of an attack or a security breach. The main aim of the IR is to reduce the overall damage caused by the security breach in a cost effective manner and minimize the time for restoration.
The success of incident response (IR) depends on to a greater degree the personnel and team structure, tools and utilities, and proper procedures. The paper will develop main efforts to revamp incident response in an organization addressing the aforementioned processes in the organization to ensure appropriate technology, best practices, and proper procedure are exploited for the benefit of the organization.
Incident response plan/ best practices
The first step in the procedure is preparation. All incident response team will be trained to use Incident Detection System (IDS) and Intrusion Prevention system (IPS). The success of the organization in the detection of security breach lies in the proper preparation of the IR team efforts to avoid security breach in a timely manner (Harrald, 2006). At this stage, potential security threats such as cyber threats and malicious software will be examined identifying their behaviors, and potential damage to the organization system.
The second step is the identification of the potential threats to a security breach. In this stage, the team effort is to determine different types of the security breach while assigning them a risk level based on the potential degree of damage they can inflict.
The third stage, containment, and remedy involve designing a proper and apt strategy to handle the threat mitigated. The team effort should revolve around iteration process between the identification and the containment stage to help design a process of containing a security incident based on the finding in the second stage (Harrald, 2006). Using Security Information Event Management (SIEM) strategy, security threats are sent to the command and control server, which blocks the IP addresses that are initiating the attacks.
The fourth stage is to obliterate the systems attacked. Once the security breach is determined, various systems that have been breached are eliminated from the system for analysis and if possible reinstated back to the system (Harrald, 2006). It also involves finding the source of the breach as well reviewing various key performance indicators of the organization systems after the system breach.
The fifth stage, the recovery stage, involves restoring the various systems after a careful examination and establishing that there is no possible incident of threats and the system is well disinfected from the threats.
Finally yet important, the learning outcomes stage, involves design a learning impact with an incident report detailing steps and measure to mitigating a security breach with processes involved for a faster through threat containment and eradication.
Define mission statement
As the manager of the IRT, it is important to articulate the mission statement of IR which will reinforce their purpose as well ensure coordination and coercions of various team members (Mandia, 2001). The mission statement spells out the objective of the team defining their roles and obligation to ensure proper incident response and mitigation process.
Establish a contact person
The incident response team will have one contact person in constant communication with the entire team that relays information involving security breaches. The contact person also coordinates the group team by assigning roles and duties to the team members (Harrald, 2006). Having one contact person reduces the error margin; which also limits counterfeit calls. The contact person is the channel of communication to the rest of the team. That person also ensures all contacts are contained in a directory registry with a unique tracking number to be located easily.
Implement IR policies
Developing policies can be a hard task, but appropriate to ensure proper workflow and culture within the IR team efforts. It is fundamentally important to design a policy before creating a team of IR efforts to monitor and overlook the organization security system (Mandia, 2001). Policy concern should determine the amount of information dispatched to various sources for an appropriate measure to be taken such as the law enforcement and organization department to avoid information breach. The policy should contain the IR team efforts documenting working procedures and operating manuals for the organization. In addition to all this, implement role-plays to help enhance team member comprehend various task and duties involved in the detection and containment of security breach.
Intrusion detection system (IDS) and Intrusion protection system (IPS)
Intrusion Detection System (IDS) is a software application that analyzes network system with an organization for malicious software applications such as cyber threats and malware. On the other hand, IPS performs an active function of blocking malicious software from causing damage to organization network system. IPS is able to monitor network packets and traffic sending a notification to the administrator in case of a potential threat advising appropriate measures to be taken to contain the threat. Both work by monitoring threat signatures and network behaviors through analyses of packets and data traffic within the network then make a comparison to the database containing threat signatures. The systems are also designed to review risk level of malicious software create a benchmark based on the analyses to compare level and escalation of malicious software.
NIST SP800-61,Rev Guide
This is a computer security incident handling guide developed by National Institute to help an organization identify and mitigate cyber threats as well as develop procedure and IR team efforts (Regenscheid & Scarfone, 2011). This manual guide contains security threats and their potential damage thus can be useful for the organization as their reference manual to help design and implement a proper procedure that will detect and mitigate threat swiftly in a timely manner (Regenscheid & Scarfone, 2011). It can aid the organization to implement proper and relevant policies effectively and efficiently at ease.
Log management system
Log management system is also known as Security Information Event Management (SIEM). It monitors various logs in the system, categorizing them based on the information received generating a report for potential and malicious events within the system. Without SIEM or log management, system various log in a system cannot be monitored which might allow potential threats intrude a system and collect information within the network. It will also be hard to monitor network events since they will be separate unlike in log management system, which enables you to monitor all system in at once.
Reference
Harrald, J. R. (2006). Agility and discipline: Critical success factors for disaster response. The annals of the American Academy of political and Social Science, 604(1), 256-272.
Mandia, K. (2001). Incident response: investigating computer crime. McGraw-Hill Professional.
Regenscheid, A., & Scarfone, K. (2011). Recommendations of the National Institute of Standards and Technology. NIST Special Publication, 800, 155.