15 Sep Incident Response Process Importance
The Value and Importance of Incident Response Process
Processes to manage incidents are part of the pre-event phase: initial development of these processes represent the end of the preparation phase for an Incident Management Program. These processes should come together once a policy is in place and the program has management buy-in, and should be reviewed regularly during the “Lessons Learned” stage of a large incident. At Syncurity, we work closely with our customers’ process documentation to map existing processes into our workflow, to automate and expedite process execution. An effectual process is not simply a checklist of mundane tasks that must be performed on each incident. The incident process must allow enough flexibility and modularity to be interesting and reduce Analyst Fatigue, but also have enough embedded structure that new analysts won’t get lost in a large map plastered on the SOC wall. To maximize effectiveness, an incident process will align with automation tools to help analysts ensure thoroughness. To follow are some attributes associated with strong incident handling processes:
- Simplicity – Maintaining a simple process drastically reduces long-term upkeep. Simplicity can reduce ramp-up time for new analysts, and allow an organization to grow analysts internally, rather than finding higher-priced analysts on the open market.
- Repeatability – Having a repeatable process will allow your SOC to loosely couple analysts with events. This allows for the handing off of incidents between shifts, reducing Analyst Fatigue over time.
- Automation – Automating basic tasks in the incident management/handling process will assure that the organization acquires important evidence. Previously seen artifacts and data should automatically link to new incidents.
- Metric Collection – Effective incident processes are informed by metadata and metric analysis. While it may be difficult to fully realize utility of metrics at the analyst level, SOC leadership can define KPIs regarding incidents to powerfully inform the overall security posture of an organization. Here are a few examples:
- New Virus Infection Rates
- Top Virus Signatures (blocked/missed)
- Mean Time To Resolution
- Mean Time To Identification
- Mean Time to Investigation (Event hits and is opened by an investigator)
- Primary Virus Infection Source
- Phishing Email Types and/or Signatures
- Vulnerability Lifecycle (identification, planning, and remediation timing)
An ideal process will include all of these features and can bring an organization closer to incident management zen. We have created a framework to help you structure and build these processes within your organization. Upcoming blog posts will provide an in-depth discussion of process framework for developing informed goals for Triage, Investigations, Containment, Eradication, Remediation, and Lessons Learned.