ISACA CISM – Domain 04 – Information Security Incident Management Part 3

12. Outcomes of Incident Management

So we have some outcomes that we want from incident management. Now when we do talk about incident management that as a term includes having this incident response and that’s an important part of that. The incident response is really in many ways a variety of activities that we want to create and we’re going to talk a little bit more about out some of the concepts and definitions. But it’s a list of activities that could either be proactive or reactive to an event. And that’s another important part of this is that as we’re doing these studies we can be proactive towards what we see happening. Again, the proactive may be to try to limit or even prevent an incidence whereas the reactive is our response. So here it is proactive efforts to limit or prevent.

And that might come from you’re doing a risk assessment, from doing a business impact analysis where again the response is a part of a plan to react to things as they occur. Again trying to lessen the amount of time. So the outcome, I guess you could say of good incident management is that we have a way of, I guess we could say, having sufficient detection and monitoring ability to be able to do both proactive and reactive. And by the way that’s an important aspect here because a lot of time we talk about things like logs. If you have your systems logging all of these events and you don’t have anybody reading these logs or looking at these logs, then what’s the purpose of having them? Are you just going to leave the logs there for post mortem after the event has occurred and try to figure out what happens or what had happened.

Or do you want to be proactive and start looking at some of these logs and we’ll talk a little bit more about some systems that can help you in the automation of this. But the whole idea again of having this good incident management is that we want to be able to respond, reduce the loss. And by reducing the loss, perhaps lessen the costs. Now you might say, well loss and costs, what am I talking about here? Again, you could lower the overall effect of your security costs and there are some tools that you can use that can lower the operating cost of security over time. And because you have this incident management and you made the realization that you found a solution, not only can that solution, as it says, reduce your loss but lower the cost of what it takes for you to get that moving forward.

Now one of the things I didn’t put on here for an outcome of incident management and I’m going to put it up here at the top as little star. In some cases, depending on the corporation, the type of company you are, there may be legal or regulatory laws that you must satisfy. And some of that you might say well, I’m going to have incident management as a plan because of those requirements. All right, well, I think I would hope you would have incident management anyway, but at least knowing that these laws are forcing you to do it may be a good indication that you’re going to get it done. But nonetheless, that’s just another aspect of why we might look at what outcome do we want? The outcome might just simply be to make sure you are within the limits of the jurisdictions that your company is running in.

13. Incident Management

All right. So incident management, depending on your organization, we’re going to think that you probably have hopefully somebody you might call or a team of people you might call the information Security manager. Sometimes you’ll see me abbreviate that as ism in some organizations, that security manager might be at minimum the first response responder. Now the the first responder, that means that if I have my help desk over here sitting on the phone with somebody and they determine, hey, there’s an incident, that they would say, that’s the first person we call to implement that response team. Now the security manager, again, depending on your corporation, your organization may have a part of creating your business continuity disaster recovery.

I say may or have a part because we’re going to find out that this has to be a team effort. And when I say team as we talk about it later, I’m talking about people maybe from human Resources, from Legal right? From the operating systems, from the network, from all aspects of your organization working together, not just the Security manager. But if they aren’t a part of that process, we hope that they are at least have adequate knowledge of what those processes are. Because if they don’t, then they’re really not going to be a great first responder, I guess you could say. And so again, it’s just kind of an idea of how we begin to look at incident management.

14. Concepts Part1

So let’s cover some of the concepts that we use when we talk about incident response procedures. One of the first ones here is the incident handling which basically we could look at it as a service that involves all of the processes or tasks that are associated with handling events and incidences. So what does that mean? That means if I was talking about having that server again and that server’s internal hard drive crashed and we said okay, there’s the incident, how would you handle it? Well obviously at one point it may be in rebuilding a new server and then from that new server, taking the backups that you had from some other time, restoring them in there or maybe having to even rebuild the entire server operating system. But it would be that complete set of steps that you would say that if this is what happens, here’s how we’re going to take care of it.

Now first of all we have to think of the fact that it sounds like there are multiple even though this is one service, it’s one response if you would, that has all the processes and tasks. But before we can even get to incident handling we do have to make sure we have a method of detection reporting, which means that we have to be able to say hey, somebody can send me an alert or send the team an alert and they can go in from there. Now if you think about something a little bit more severe as far as the needs of what we’re doing, it might not be that the server itself crashed, but maybe the routers or the network itself and connectivity may have had a problem. And so suddenly then we have to say to ourselves okay, let’s do a little triage.

I mean we might have said through our detection reporting, diagnosis that the problem is here at the router, but in reality the bigger, more important issue is that we need that data. And you might ask and say to yourselves, okay, so we have a little bit of a triage, we have to get to the data, but we have to fix the path. And you might ask a question is there another path that we can take through the network? Did we plan ahead of time for no single points of failure? And so we might say, well as a part of the triage, let’s make sure the data is accessible first. It might not be the best path to the network, but then we can fix the network. Which ultimately was the root cause. Analysis of course is a part of this set up.

It’s basically your attempt to determine what’s happened, to figure out what the impact is that is being done, what the threats are. And then of course with all of that comes the incident response itself. And this is really kind of the last step of the incident handling and basically this is where we figure out what action. This is kind of the last step, like I said, and really becomes the action. What are we going to do to work with this as far as whether it’s taking care of mitigating it or resolving it, whether or not we have to also know as a part of this response is usually we have to create documentation, disseminate that documentation. And hopefully another part of that is to limit basically the recurrence of this situation. Again, remember we said one of the things we want to do is learn from history as far as how to keep it from repeating.

15. Concepts Part2

Another concept again of the incident response procedures, as we’ve been talking about, is having really effective incident management. Effective means that we have a method of being able to do detection. Maybe it’s through automation or automated tools that we can use. We have to know that to manage it we should record what’s occurring by recording. What we’re doing is we’re making sure that we don’t overlook any aspect, that we have the proper documentation because like I said, we want to be able to report. And so in order for us to report, part of management should be having a method of recording our actions, our steps, what we’ve discovered and of course trying to say no repeats here of what’s happening.

The other part, of course, is that through our management we’re trying to figure a way again to limit the impacts. And so part of management means that we do have to have and this goes kind of back to what I just said before, kind of the triage. We should have proper classification through our management because we want to have a prioritized list what’s most important that we have. And if we had existing documentation, then we can ask the question can we check it against known errors and problems because of what we’ve seen in the past? That might also help us in being able to limit the impacts because we have a good place to at least understand where we should be going to look for the solutions.

16. Concepts Part3

Now, even though we said that incident handling should result in having the incident response out of all of it, and it’s important to repeat this again, it’s the last step in your incident handling process. It is important because we have to realize that there is a life cycle, right, of doing this, where we have the planning part of it and the life cycle comes back act. But part of that life cycle is a review, I guess I could say implement. This isn’t the exact life cycle, but just for kind of drawing it out, is that at some point we’re going to have a review and technically there’s testing and a bunch of other steps in there. But the thing about it is that incident response and that documentation can help us right, as part of that review, that maybe we have to go back to planning.

Of course, another part of that is the coordination. Remember, we’re going to have team members that we have to deal with or should deal with. I didn’t mean to make that like a negative connotation. But you realize, like I said, with the network outage and getting access to our data server, we’re going to have to work with the network team, maybe a security team, certainly with the server operations, the database administrations, the rest of that. Of course, the other part of the response is, like I said, we have to execute or do the execution of any mitigation options that we put into place in that plan and of course, have the recovery actions to be able to get back from that downtime.

17. Incident Management Systems Part1

One last part of this are the use of incident management systems. All right? So if you think about the fact that in your typical network, you’re going to have a number of servers out there in your network over and over and over. A number of network devices like perhaps routers that are dealing with the traffic and the switches and maybe those are going through a firewall all or intrusion prevention device getting out to the Internet. And what I’m getting at is that there is just in today’s networks, in information systems, just a sheer amount of information that has to be gathered. Now here’s something that might be an issue. All of these devices, the servers, the routers, the switches, the firewalls, everything else, antivirus software running on PCs, all of these things can generate logs.

And traditionally what I saw in the early stages of security was that we had team members in security that only looked at the logs on the firewall and we had team members that were in the infrastructure that only looked at the routers and switches. And we had admins of the operating system as well as the database admins were looking at the operating systems and they would each look at their logs individually. Here they’re all looking at all of these individual pieces of gathering that information. But they weren’t correlating, right? They didn’t work as a group. Because if you think about it, if I suddenly saw, let’s say I’m on a Windows server and I see a virus over here, how do I know where it came from? Well, I’d have to go talk to the people running maybe the firewalls.

And if it didn’t come from the firewalls, maybe it was from somebody who brought in their own malware and it’s going through the rest of the network. So what we want to see is systems that can automate, I should say, the gathering of information and being able to correlate that information. And what they’ll do, and a lot of times we call these sims and that’s the abbreviation, the seam. And what they will do is they will analyze across all of the platforms to be able to give you information of potentially malicious activity. They will correlate this information, they will prioritize incidences, which means that they’ll also generate alerts to let us know proactively if they see some sort of activity that is suspicious or anomalous as well as take care of management.

So we can have it basically assigned to a person who can then give us the check. Mark saying hey, we’ve got that taken care of. And now these systems have costs, obviously, but they were designed to sit out here in the network. And as I said, I’ll put a big s there to get all of this information into one spot. And again, every vendor that creates these different types of logging devices will have their own strengths and weaknesses that they’ll advertise. You’ll find one that hopefully works best. But if you think about that, that should hopefully lower the cost. Because if you say to yourself, oh, wait a second, these servers aren’t free. No, they’re not free. You have to pay for them. But look at what I’m saving.

I’m saving the amount of hours that I would have had otherwise, even if I had the personnel to spend the hours to individually look at all of these logs. And so now we’re having that through an automated system, take care of doing that analysis for us, and then being able to generate the alerts. And the alerts, again, could go right to the incident response team or whoever you’ve to be able to start generating a response. Remember what we said. One big thing that we want was a way of being able to quickly determine when there’s an incident so we can begin to take action and again, contain it, limit the loss and get to a recovery point.

18. Incident Management Systems Part2

As I was just saying, we should see over time that the efficiencies and cost savings can be in the operating costs because again automation over a long time and the correlation being done as all of the information is considered is going to be cheaper in the long run. Like I said over the manual reviewing of the logs, and this is the big thing, it works over multiple platforms because the different platforms will all have the same format of the data that they’re sending in. And because of the detection and Escalation being so much quicker, that means our recovery costs should be cheaper because we’re going to have hopefully less loss, less damage, faster response. So as I just said previously, that these are the benefits of considering this as a part part of your incident management system.

19. Lesson 3: Incident Management Organization

Now, as we continue to talk about this organization for incident management, we know that a lot of what I just talked about has been all internal, internal members, employees, the management, the rest of it. The organization should also be working with outside groups. Now, again, remember, not everything is about information systems, but that’s kind of our big focus, I guess you could say. But, well, let me say it a different way. Let’s say that if you think of physical issues like fires, natural disasters, floods, those types of things, and you think about what it takes to be able to respond to that. Well, very seldom would I say that if it came with, let’s say, a flood coming into your organization, that your members are going to be there, capable of taking care of the flood situation.

So we’re going to have to say that, look, there are some outside groups that we should be in contact with as a part of our management. We ought to know what their capabilities are because with things like civil service, with FEMA, with whoever’s going to respond to disasters, what are their capabilities, what can they help us with? Where are we on their list of what’s important to take care of first? Because that has got to be a part of your plan. If you know that you’re at the bottom of the list of who’s going to get sandbags, maybe you can find a way to try to look at supplying those yourselves. That’s of course, if your business is located in a flood zone or something like that, if it’s theft physical, also it would dealt with theft, whether it’s internal or external.

That means you’re probably going to get law enforcement involved and you need to know what their capabilities are going to be. So it is important that you have at least the idea of what the goal should be is what can be expected for doing this interagency type of response. Now, of course, there can be many other types of interagencies that I didn’t list here, certainly other agencies besides civil services or law enforcement that you’re going to have to deal with. It just, again, depends on what it is that you’re looking for as far as what’s most important, what you’re trying to protect and what you’re planning the events or hopefully planning on how to deal with the events that could affect those different assets within your company. Bye.

• Category: Uncategorized