Security Incident Management:
Respond Effectively to Security Incidents
Incident Management Involves Prioritizing, Assessing and Managing Incidents.
Automated processes help security incident management analysts respond optimally to incidents. In the event of an attack, companies must act quickly to minimize damage and contain threats. The foundation for dealing with security-related incidents is the creation of a plan in which tasks and responsibilities are defined. The plan also directs the isolation of malware and affected systems, as well as ensures deeper analysis to identify the attacker and investigate the reason for the attack in more detail.
What is a Security Incident?
A security incident may stand alone or consist of multiple events that together indicate that an organization’s systems or data may have been compromised or that protective measures may have failed. This includes any intentional or unintentional incident that poses an increased threat to IT security.
What is a Major Incident?
A major incident is a serious incident with the highest priority. These types of incidents can lead to significant disruptions or even a complete shutdown of business operations, so they require special measures. Major incidents represent a risk that cannot be neglected.
What is an Incident Handler?
The incident handler’s job is to contain and mitigate the security incident. To do this, he or she plans, manages, coordinates activities, as well as communicates with other cybersecurity professionals.
Mainly, incident handlers define, document, and communicate the roles that various professionals take on during an incident. These roles vary depending on the severity of the incident.
Incident handlers establish, test and verify communication channels and communicate them to the appropriate personnel. This is a must to ensure the proper flow of tasks and communications.
They also ensure that all incident handling and response best practices, standards, cybersecurity frameworks, laws and regulations are followed and estimate the costs that an incident may incur.
Why Is Security Incident Management So Important Today?
Companies are regularly attacked by cybercriminals and often suffer long-term damage. With increasing frequency.
We live in turbulent, constantly changing times. The world is networked and digitalization is advancing. We experienced this very clearly in 2020, in particular, when more and more people moved their workplace to a home office. They moved from a network managed by IT professionals to a workplace with no corporate firewalls and possibly no professional antivirus programs protecting them.
This situation makes businesses a sitting duck for cybercriminals and poses major challenges for IT departments.
However, IT security is not just the concern of security specialists; it is also the responsibility of every single employee. Seemingly simply tasks, such as
- Changing passwords regularly,
- sharing confidential information only with known and verified sources,
- updating software,
- regularly backing up data, and
- consistently employing a clean desk / desktop strategy
are an important basis for secure work. Every opportunity should be taken to repeatedly sensitize employees to the topic.
What Should Be Considered When Preparing for Incidents?
The most important thing is to ensure that all employees know their roles and responsibilities in the event of a security incident.
To this end, scenarios can be developed and regularly run through so that they can then be evaluated and optimized, if necessary. A response plan should be well documented, as well as detailing and explaining the roles and responsibilities of everyone involved.
Above all, the competence of each individual counts. The better prepared your employees are, the less likely they are to make critical mistakes.
Answer the following questions for yourself:
- Have employees been trained on the security policy?
- Have the security policies and incident management plan been approved by the appropriate leadership?
- Does the incident response team know its responsibilities and whom to notify?
- Have all members of the team participated in practice drills?
The Incident Management Plan
In cybersecurity, as for ITSM, there are various frameworks, such as ISO 27000 and various NIST specifications. In general, these all recommend the creation of an incident response plan.
An incident response plan is usually a documented set of instructions with multiple phases. The incident response plan defines all necessary actions and clearly outlines responsibilities. It is proven to consist of several phases. Regular reviews of such an incident management plan are necessary.
Recommended phases of an incident management plan:
Provide incident management tools and processes.
As with ITIL®, the process outlined in the incident response plan is based on best practices. All important phases are defined in the tool. This way, when an incident occurs, the information needed to respond can be gathered in a short time. Communication between all involved parties should be outlined and contact information gathered.
2. Analysis and Identification
Deciding whether a security incident has occurred.
The analysis of data from log management systems, IDS/IPS, threat sharing systems as well as firewall logs and network activities, e.g. via a SIEM, helps to classify the corresponding events. Once a threat has been identified, it should be documented and communicated according to the established policy.
Contain the spread of the incident and prevent further damage.
Deciding which strategy to use plays the biggest role in this. The main question is what vulnerability allowed the malware to infiltrate. Quick mitigation, such as isolating a network segment, is the first step in many incidents, after which forensic analysis is often sought for evaluation.
Malware is eliminated.
Once the potential threat has been contained, the root cause of the incident must be investigated. To do this, all malware should be safely removed, systems patched, updates applied and software updated if necessary. The systems should therefore be brought up to the latest patch level and passwords should be assigned that meet all security requirements.
Systems and devices are reactivated and made productive.
“Back to normal function” is the goal of this phase. All systems should be constantly checked to see whether they are running as expected. This is ensured by testing and monitoring over a longer period of time. In this phase, the incident response team determines when operations will be restored and whether infected systems will be completely cleaned up.
6. Lessons Learned
What went well and what did not?
Once phase five has been completed, a wrap-up meeting should be held with all parties involved. In this meeting, open questions are clarified and the incident is finally closed. This is not only about the handling of the incident, but also about its detection, e.g., by the SIEM. With the knowledge gained from this exchange, measures can be defined to better handle incidents in the future.
Depending on the orientation of a security team, these six phases can also be partially combined or implemented to varying degrees.
How can STORM as SOAR software support incident management?
IdentificationWith so many alerts coming in, analysts would waste too much time opening and logging incidents. Instead, a SOAR uses automation to create new cases.
PrioritizationTo keep up with the influx of alerts, your cybersecurity team needs an automated solution. SOAR automation quickly prioritizes each incoming case so that critical incidents are responded to first.
DiagnosticsSOAR platforms facilitate diagnostics for security analysts by centrally organizing SIEM alerts and other data. This includes WHOIS or MISP information, for example. This means that all data related to a current case is quickly available.
ResponseA SOAR solution notifies all stakeholders when an incident occurs: management, dev ops, and IT. Mitigation steps are documented as they happen. Thus, centralized case management in a SOAR solution simplifies the involvement of all responsible parties. Others can immediately see the current progress and status.
Resolution and closureSOARs document all responses to an incident to prevent future incidents. This documentation cannot be edited. This ensures that the response to an incident is stored in an audit-proof manner.
Incident Management Experts
The causes of security-related incidents are manifold and are often not immediately recognizable. However, it is necessary to identify these in order to actually eliminate all traces of the incident.
STORM brings many advantages as SOAR software: It is a tool that can be individually adapted to security requirements, but it also includes a lot of know-how from our cybersecurity experts.
Our security experts work with you to analyze the status quo of your IT security processes, develop appropriate solutions and then implement these.Contact our Experts
Related content that may interest you
Fix security vulnerabilities with Vulnerability Management from OTRS. Identify, classify and prioritize software vulnerabilities.
Bring a breath of fresh air to your teams and focus on speed, real-time information, maximum flexibility and optimal security.
IT Service Management
Make your business even more successful and optimize your company’s processes. The ITSM tool from OTRS Group is the solution for customer and service-oriented work — individually adapted to your structures.