Blog

  • Improving Incident Response Investigations

    Improving Incident Response Investigations Investigating cybersecurity incidents requires balancing investigation depth with analyst capacity.  Using robust triage checklists and threat management platforms can reduce investigative time.  Larger SOCs/CSIRTs use a tiered system to allow skilled investigators to focus on high risk events while maintaining coverage across…

  • Incident Response Management Process – Triage

    Incident Response – Triage Triage is the first post-detection incident response process any responder will execute to open an incident or false positive. Structuring an efficient and accurate triage process will reduce Analyst Fatigue and ensure that only valid alerts are promoted to “investigation or…

  • Incident Response Process Importance

    The Value and Importance of Incident Response Process Processes to manage incidents are part of the pre-event phase: initial development of these processes represent the end of the preparation phase for an Incident Management Program.  These processes should come together once a policy is in…

  • Incident Response – How do you deal with analyst fatigue?

    As I talk with people I know who are either Security Managers, CISOs or friends, a topic has come up that I haven’t read much about: analyst fatigue. Fatigue Symptoms Below, I have brainstormed some indicators on how to recognize analyst fatigue: High false positive…

  • Incident Response Preparation: Management Buy-in

    In our first Incident Response Preparation post we talked about some technical things that should be done as you are preparing to respond to events, investigations, incidents, and (hopefully not) breaches. We now address some of the management work that needs to happen as you are…

  • Incident Response Preparation

    Incident Response Preparation Many of our customers question the best methodology out there to respond to an incident, and most places just need a push in the right direction to create an effective response to the incidents they see every day.  There are big data…

  • Essentials of Incident Response: 01. Preparation – Technology

    This blog series has been updated here. This is the last of a 3-part series on the role of Preparation in the Incident Response process. The first two parts covered People [1] and Process [2]; this part addresses the role of Technology in Preparation. Further…

  • Essentials of Incident Response: 01. Preparation – Process

    This blog series has been updated here. In this series on the Incident Response Process, I’m devoting at least one post to each of the steps in the PICERL (Preparation, Identification, Containment, Eradication, Remediation and Lessons Learned) method. Preparation is key to the others, so…

  • Essentials of Incident Response: 01. Preparation – People

    This blog series has been updated here. In the first post of this series, I gave an overview of the steps associated with the IR process. Starting with this post, I will cover each one in more depth, and identify topics for further development. If…

  • The Essentials of Incident Response

    According to a recent survey of incident responders by the SANS Institute (Torres, 2014), the lack of formal incident response (IR) plans and defined team structures is a primary roadblock to efficient handling of security incidents. In this series, I will discuss the components of…