Sans Critical Log Review Checklist for Security Incidents

Creating a construction for handling information security incidents is difficult. On the 1 hand, there is the need to provide policies and procedures for people involved in the incident response (IR) procedure. On the other manus, documentation that'southward besides long and ho-hum is rarely read; moreover, it's hard to anticipate every IR contingency when preparing the documents.

Hither are a few tips for starting and formalizing a security incident response program.

The Hierarchy of Documents

Organizations differ in the criteria they use when designating a document a policy, process, guideline, and plan. Regardless of your nomenclature, you should accept a hierarchy of documents:

• A cursory high-level document that describes the goal of the IR program. The level of particular should be advisable for a non-technological executive director. (I think of this as a policy.)
• One or more longer documents that include details regarding the arroyo to IR that should be exercised past the organization. The audition for this documentation should be technical managers and other individuals implementing the IR plan. (I recollect of this every bit procedures, though some might call information technology policies.)
• Detailed technical documents for the various situations that incident responders might observe themselves in. The audience for this is technical staff that is responsible for taking IR steps. (I think of this equally guidelines, cheat sheetsand checklists.)

Go along It Brief

Remember that no one has the time and patience to read wording policy documents filled with generalities. Continue your IR policies and procedures succinct and to the points. Use bullet points whenever possible.

Don't worry about anticipating every possible contingency. Outset with a ready of documents that seems reasonable, so that you don't dwell forever on getting them published. Then, amend them every bit you proceeds experience responding to incidents.

Avoid edifice upon IR certificate templates without customizing them for your specific needs, as such practices usually produce wordy texts filled with irrelevant concepts.

The Security Incident Cycle

Organizations also make the error on focusing on only 1 of several phases that comprise the security incident cycle. I discussed the big moving picture of the security incident cycle in an earlier article.

In addition to declining to devote proper attention to each stage of the security incident cycle, organizations oft neglect at knowing when and how to transition from one phase to some other when dealing with an incident. The challenge is in part due to the differences in technologies and skill sets used in each phase, also as in the unlike reporting construction of teams that demand to collaborate when navigating the cycle.

References for Designing Your IR Plan

The post-obit papers and manufactures provide practical guidance for designing and implementing an incident response program:

• Creating a Computer Security Incident Response Team: A Process for Getting Started past CERT Coordination Centre
• How to Design a Useful Incident Response Policy past Timothy E. Wright
• CIRT-Level Response to Advanced Persistent Threat past Richard Bejtlich (PDF)
• SP 800-61 Calculator Security Incident Handling Guide by NIST (PDF)

In add-on, I created a number of cheat sheets useful for incident response:

• Initial Security Incident Questionnaire for Responders
• Network DDoS Incident Response Crook Sheet
• Security Incident Survey Crook Sheet for Server Administrators
• Critical Log Review Checklist for Security Incidents

Sample Incident Response Plan Documents

If you're wondering how other organizations certificate their IR programs, y'all'll be surprised how much you'll observe by Googling "incident response filetype:pdf".

Keep in mind that even when you prepare for security incidents, you are likely to run across a situation that catches you by surprise. I put together my thoughts on this topic in a presentation How to Answer to an Unexpected Security Incident (PDF) with full speaker notes.

For a related post, see my article on The Disquisitional Role of the Security Incident Response Coordinator.

Updated Feb 11, 2015

Well-nigh the Author

I design practical security solutions and shepherd them to a sustainable state. I used to be hands-on in many areas of cybersecurity and It. Now I focus on strategy and leadership, treating security as an enabler that helps people and companies accomplish their goals. Equally the CISO of Axonius, I lead the security program to earn customers' trust and fuel the company'south growth. Earlier, I congenital security products and services. I'm too a Faculty Fellow at SANS Institute, where I help professionals develop malware assay skills.

Learn more

crosbyarlden.blogspot.com

Source: https://zeltser.com/security-incident-response-program-tips/

Share this post