Blog

  • Does IR have a Hierarchy of Needs?

    Based on feedback from everyone – we have updated this and published a version 2 of this post.    After seeing in the past few years David Bianco’s Pyramid of Pain and Rick Holland’s Threat Intel Targeted Attack Hierarchy of Needs, I started thinking… can…

  • Reap the Payoffs of Successful IR Automation

    Do you remember when Salesforce.com came out? While CRM (customer relationship management) was hardly a new concept, users across the organization loved it for its ease of use, visibility it provided, and the boost of speed its workflows delivered. An enterprise could easily get behind…

  • See you at the SANS SOC Summit #socsummit

    Looking forward to 2016 SANS SOC Summit this week It's late May, so it must be time for the annual SANS SOC Summit, https://www.sans.org/event/security-operations-center-summit-2016, held this Wednesday and Thursday at the Hilton Doubletree Crystal City just inside the DC Beltway.  If there was any doubt that...

  • Improving Incident Response Investigations

    Improving Incident Response Investigations Investigating cybersecurity incidents requires balancing investigation depth with analyst capacity.  Using robust triage checklists and threat management platforms can reduce investigative time.  Larger SOCs/CSIRTs use a tiered system to allow skilled investigators to focus on high-risk events while maintaining coverage across all…

  • IR Process Questions to ask

    How can we reduce analyst fatigue? Review our Analyst Fatigue post, and develop the steps in the investigative process.  Map out the steps and tasks for each process, which will expose where    For example, the investigator who searches the email system for a message is probably…

  • Incident Response Management Process – Triage

    Incident Response - Triage Triage is the first post-detection incident response process any responder will execute to open an incident or false positive. Structuring an efficient and accurate triage process will reduce Analyst Fatigue and ensure that only valid alerts are promoted to “investigation or...

  • Incident Response Process Importance

    The Value and Importance of Incident Response Process Processes to manage incidents are part of the pre-event phase: initial development of these processes represent the end of the preparation phase for an Incident Management Program.  These processes should come together once a policy is in…

  • Incident Response – How do you deal with analyst fatigue?

    As I talk with people I know who are either Security Managers, CISOs or friends, a topic has come up that I haven’t read much about analyst fatigue. Fatigue Symptoms Below, I have brainstormed some indicators on how to recognize analyst fatigue: High false positive…

  • Incident Response Preparation: Management Buy-in

    In our first Incident Response Preparation post we talked about some technical things that should be done as you are preparing to respond to events, investigations, incidents, and (hopefully not) breaches. We now address some of the management work that needs to happen as you are…

  • Incident Response Preparation

    Incident Response Preparation Many of our customers question the best methodology out there to respond to an incident, and most places just need a push in the right direction to create an effective response to the incidents they see every day.  There are big data…