Organizations need to have a proper, focused, and a coordinated approach to responding to incidents. This includes a system for Occasion Response that outlines the correct way for implementing the Incident Response capability.
What all organizations want is, a concept that meets its distinctive necessities. A concept that relates to the organization’s mission, size, structure, and functions. A system that lays out the mandatory resources and management support.
But before implementing an effective Security Operation Center (SOC) IT teams must be able to distinguish between Events and Incidents
Events vs Incidents
Events
An event can be any noticeable and important incidence which is out of the ordinary in an organization’s system or network. Usually a negative occurrence.
e.g
- A user connecting to a file
- A system crash
- An unauthorized use of system privileges
- An unauthorized access to sensitive information
Incident
An incident is some sort of a violation of information security policies, security standards etc..
e.g
- Sending malicious files to a targeted user
- Performing a Denial of Service attacks on a web server
- Stealing sensitive information and blackmailing the owners
And now that we have identified the difference between an Event and an Incident, let’s take a look at the Incident response process flow.
Incident Management Process flow
1. Log Incidents
The very first step in this process is to inform the identified incident to the relevant parties by the experienced users themselves or any responsible person on behalf the users by using appropriate channels. The allocated person from the incident handling team should capture all necessary details and data related to the incident.
2. Classify Incidents
Classify the incidents with acceptable category or sub-category to simply establish the proper cluster and agent. Proper classification method will speed up the incident handling process and save time for the further investigation.
3. Prioritize Incidents
Assigning the proper priority to incident ticket incorporates a direct impact on deciding the SLA policy and addressing business important problems on time. Thus,it’s important to establish a sensible SLA to satisfy client commitments.
4. Investigate and Diagnosis for Incidents
When an incident occurs, incident response team will perform a deep analysis on the incident and send a customized report to the end customer
5. Incident Closure
Primary goal of the incident management process is to resolve the incident quickly and efficiently. Closing the ticket after effective communication to the end user is very important during the incident handling process.
Value Added features for an effective Incident Management process
Communication channels – Multiple methods should be available to report an incident to the incident response team. Reporting should be done as soon as possible from anywhere at any time.
Multiple SLA definitions – Having multiple SLA policies for different clients will make it easy to handle different types of clients. Meeting the SLA is an important factor in measuring the productivity of a SOC and thereby client satisfaction.
Notifications system – Send incident resolving progress notifications as emails, text messages to the users/agents who informed the incidents will increase the user satisfaction
Automated ticket assignment – An automated ticketing system will add more advantages to the incident management process. Classification, prioritization and assignment to individuals must be done fairly. This will also remove any delays in a manual process.
Prepare knowledge base – Prepare a proper knowledge base using frequently raised tickets will speed up the response process. The team handling incidents will be able to refer back to see how past such cases were handled. Logging in new discoveries will enable the team to better prepare of incident responses in future.
Possible types of Incident Response Teams
There are 3 main types of response team commonly identifiable
Central Incident Response Team: This will be ideal for a small-scale organization. The Central Incident Response team will handle all incidents of the organization as a single team.
Distributed Incident Response Team: This team consists of multiple teams, and each different team will manage different physical locations or processes within a large organization. They will coordinate the whole process by a single entity to maintain the consistency throughout the organization.
Coordinating Team: A single team providing to other teams without being influenced by another cluster or team. It can be either employees, partially outsourced teams, or fully outsourced incident response teams.
Following factors will help to select a appropriate team model, for any kind of an organization
- Response team availability
- On-site presence
- Funding capacity
- Employee Morale to work on incident management
- Internal employee expertise
- Level of organization specific knowledge
- Geographical presence
Recommendations for an effective incident management process
- Communicate with external parties to manage incident before it occurs.
- Share incident related information throughout the organization during incident response
- Automate the incident response process as much as possible.
- Educate customers on relevant incidents before they face same kind of incidents.
- Document all the evidences and whole process for further investigations and reference.
References:
[1].https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
[2].https://freshservice.com/incident-management
Find out how you can extend your team and improve your cyber security strength.
Sign up for a 30-day free trial and see how easy it is to set up or manage your SOC with us.