CHAPTER 5

How do you respond to an incident?

The constant cycle of organizations trying to stay ahead of attackers and attackers finding new ways to get the upper hand makes it difficult for organizations to ensure the security of their network and data. The evolution of new types of attacks only adds to this complexity. The best way to combat this never-ending cycle is to build an effective incident response system.

What is a security incident?

Workflow management.

An organization can face hundreds of security incidents a day. To respond to all these incidents and keep its security intact, an organization needs a complete, automated response system. IT security administrators can save a lot of time with automated workflows, as they enable speedy resolution of incidents.

Incident workflow management gives organizations the ability to define a set of actions that will automatically be triggered when a particular incident occurs. For example, you can define a workflow to shut down a computer when a malicious process is started on it. Triggering this workflow will help isolate the affected system and contain the attack so it doesn’t spread in the network.

When configured properly, automated workflows give organizations a head start when it comes to incident resolution. Apart from triggering actions, you can also raise a ticket for every incident detected in your ITIL tool using workflow management. This helps in closely tracking the incident resolution process and ensuring accountability.

Forensic investigation.

By analyzing what went wrong in previous situations, organizations can unearth the solution to future problems. Forensic investigations of incidents can help the security team analyze the traces left by attackers, which can help them protect their organization against future attacks. In a way, forensic investigations aren’t about making the wrong right, but about analyzing the wrong to prepare for future wrongs.

Once analysis of the evidence is done, the next step in the incident response process is to contain the disruption to ensure other devices are protected. The last step is to eliminate the cause of the incident.

Incident detection is a never-ending cycle. Once an incident is spotted, analyzed, contained, and eliminated, the cycle begins again at the next incident.

 

Chapter 2

Different functions of SIEM

Learn about the different capabilities of an ideal SIEM solution.

 

Chapter 3

Component of SIEM Architecture

 

Chapter 4

Log Management

Learn about log management and why it is necessary.

 

Chapter 5

Incident Management

Learn about security incidents and how they are handled.

 

Chapter 6

Threat intelligence

Learn about security audits, real-time monitoring, and correlation and how they are useful to mitigate cyberthreats.

 

Chapter 7

Cloud security

Learn why it is important to secure data that is stored online on cloud computing platforms.

 

Chapter 8

User Entity and Behavior Analytics

Learn why UEBA is critical to maximize cybersecurity.

 

Chapter 9

Data protection

Learn why it is important to adhere to compliance regulations.