Incident management is the management of incidents that are potentially damaging to an organization, such as a
distributed denial of service attack. Not all incidents are computer-related; for example, a break-in at your CEO’s office is also an incident.
- Detection. It is critical to be able to detect incidents quickly because they often become more damaging at time passes. It is important to have a robust monitoring and intrusion detection solution in place. Other parts of a detection system include security cameras, motion detectors, smoke alarms and other sensors. If there is a security incident, you want to be alerted (for example, if an alarm is triggered at your corporate headquarters over a holiday weekend).
- Response. When you receive a notification about an incident, you should start by verifying the incident. For example, if an alarm was triggered at a company facility, a security guard can physically check the surroundings for an intrusion and check the security cameras for anomalies. For computer-related incidents, it is advisable to keep compromised systems powered on to gather forensic data. Along with the verification process, during the response phase you should also kick off the initial communication with teams or people that can help with mitigation. For example, you should contact the information security team initially during a denial-of-service attack.
- Mitigation. The next step is to contain the incident. For example, if a computer has been compromised and is actively attempting to compromise other computers, the compromised computer should be removed from the network to mitigate the damage.
- Reporting. Next, you should disseminate data about the incident. You should routinely inform the technical teams and the management teams about the latest findings regarding the incident.
- Recovery. In the recovery phase, you get the company back to regular operations. For example, for a compromised computer, you re-image it or restore it from a backup. For a broken window, you replace it.Remediation. In this phase, you take additional steps to minimize the chances of the same or a similar attack being successful. For example, if you suspect that an attacker launched attacks from the company’s wireless network, you should update the wireless password or authentication mechanism. If an attacker gained access to sensitive plain text data during an incident, you should encrypt the data in the future.
- Lessons learned. During this phase, all team members who worked on the security incident gather to review the incident. You want to find out which parts of the incident management were effective and which were not. For example, you might find that your security software detected an attack immediately (effective) but you were unable to contain the incident without powering off all the company’s computers (less effective). The goal is to review the details to ensure that the team is better prepared for the next incident.
For solution, online support and query.