Part 5 of our Field Guide to Incident Response Series outlines 5 steps that companies should follow in their incident response efforts. Show
Incident response is a process, not an isolated event. In order for incident response to be successful, teams should take a coordinated and organized approach to any incident. There are five important steps that every response program should cover in order to effectively address the wide range of security incidents that a company could experience. The video clip below discusses the first three steps of incident response, and is taken from our webinar, Incident Responder's Field Guide - Lessons from a Fortune 100 Incident Responder. To listen to all five steps, watch the full webinar here. 1. PreparationPreparation is the key to effective incident response. Even the best incident response team cannot effectively address an incident without predetermined guidelines. A strong plan must be in place to support your team. In order to successfully address security events, these features should be included in an incident response plan:
The following resources may help you develop a plan that meets your company’s requirements:
2. Detection and ReportingThe focus of this phase is to monitor security events in order to detect, alert, and report on potential security incidents.
3. Triage and AnalysisThe bulk of the effort in properly scoping and understanding the security incident takes place during this step. Resources should be utilized to collect data from tools and systems for further analysis and to identify indicators of compromise. Individuals should have in-depth skills and a detailed understanding of live system responses, digital forensics, memory analysis, and malware analysis. As evidence is collected, analysts should focus on three primary areas:
4. Containment and NeutralizationThis is one of the most critical stages of incident response. The strategy for containment and neutralization is based on the intelligence and indicators of compromise gathered during the analysis phase. After the system is restored and security is verified, normal operations can resume.
5. Post-Incident ActivityThere is more work to be done after the incident is resolved. Be sure to properly document any information that can be used to prevent similar occurrences from happening again in the future.
For more tips and information on incident response, download our free eBook, The Incident Responder’s Field Guide – Tips from a Fortune 100 Incident Responder. Read more in our Field Guide to Incident Response Series
Tags: Incident Response What is the first step in handling an incident?What's the first step in handling an incident? Detect the incident. Before you can take any action, you have to be aware that an incident occurred in the first place.
What is the first rule of incident response investigation?The first rule of incident response is "do no harm".
What is the first step in security incident management quizlet?Preparation is the first step in the creation of an incident response plan, and it involves trying to think about all the possible threat scenarios that could affect the attributes of a specific asset and the appropriate response to each of these scenarios.
What should an incident response team do when they are notified of a potential incident?When the incident response team is notified of a potential incident, its first steps are to confirm the existence, scope, and magnitude of the event and then respond accordingly.
|