Incident Identification
Updated Jan 30, 2024 ·
Overview
The incident response process involves continuous monitoring after a plan is established and a team is prepared.
- Monitoring is key to detecting signs of incidents.
- This ensures the organization is always vigilant for ongoing or past events.
Incident Identification
The ability to identify an incident relies on robust security infrastructure.
- Security monitoring helps detect potential incidents.
- Data collection, analysis, and retention are essential for timely identification.
Information Sources
Various tools and systems provide critical data for identifying security incidents.
- Intrusion detection and prevention systems
- Firewalls
- Authentication systems
- System integrity monitors
- Vulnerability scanners
- System event logs
- NetFlow connection records
- Anti-malware packages
SIEM
Security Incident and Event Management (SIEM) aids in handling the large amount of data generated by security systems.
- SIEM systems act as centralized repositories for log data.
- They assist in correlating and analyzing massive logs.
- Detection is enhanced by SIEM’s rule-based and algorithmic approaches.
For more information, please see SIEM.
External Sources
Not all incidents are detected internally; some come from external reports.
- External reports may come from employees, customers, or other organizations.
- Examples include personal information being exposed or systems acting maliciously.
First Responder Responsibilities
The team member who first detects an incident has special responsibilities to minimize damage.
- Act quickly to contain damage.
- Isolate compromised systems from network to prevent further harm.
- Ensure the system is still running to preserve evidence while limiting communication with attackers.
Containment Strategy
Containing the damage from a security incident is the highest priority.
- Quarantine systems by disconnecting them from the network.
- Focus on isolation to prevent the incident from spreading.