Security Incident Management

Detecting security events quickly is one of the most important aspects of network
security for most companies. Without a full-spectrum overview of all cyber activity, it
can be nearly impossible to coordinate defences and take down threats on the spot.
Companies can implement a security incident management plan to effectively handle
these types of security events if they should arise.

What is Security Incident Management?

Security incident management focuses heavily on resolving incidents quickly to

ensure that employees and users alike aren’t hit with too much downtime.

By identifying, managing, recording and analysing security threats or incidents in

real-time, security incident management provides a robust and comprehensive view
of any security issues within an IT infrastructure. 

Security incident management usually begins with an alert that an incident has

occurred. This prompts the organization to rally its incident response team to
investigate and analyse the incident to determine its scope, assess damages, and
develop a plan for mitigation.

Once the incident response team is in place, the security incident management plan
helps to guide the team to correctly detect security incidents and provide a technical
response to address the problems promptly.

Security incident management plans also take into account other departments to
work in conjunction with the technical teams to ensure a coordinated effort is made
to tackle the service or legal-related issues that may arise during an attack.

SECURITY INCIDENT MANAGEMENT PROCESS

The ISO/IEC Standard 27035 outlines a five-step process for security incident

management, including:

● Prepare for handling incidents.

 ● Identify potential security incidents through monitoring and report all
incidents.
● Assess identified incidents to determine the appropriate next steps for
mitigating the risk.
● Respond to the incident by containing, investigating, and resolving it (based on
outcome of step 3).
● Learn and document key takeaways from every incident.

How Do Security Incident Management Plans Work?

While incident response measures can vary depending on the organization and

related business functions, there are general steps that are often taken to manage
threats.

The first step may start with a full investigation of an anomalous system or
irregularity within system, data, or user behaviour.
For example, a security incident management team may identify a server that is
operating more slowly than normal.
From there the team will assess the issue to determine whether the behaviour is the
result of a security incident. If that proves to be the case, then the incident will be
analysed further; information is collected and documented to figure out the scope of
the incident and steps required for resolution, and a detailed report is written of the
security incident.
If needed, law enforcement may be involved. If the incident involves exposure or
theft of sensitive customer records, then a public announcement may be made with
the involvement of executive management and a public relations team.

The Key Steps towards Successful Incident Response

Be Proactive

Being proactive and getting your security incident management plan on paper
ensures that you’re one step closer to complying with the pertinent regulatory bodies
and fulfilling your contractual requirements.
Being proactive by configuring the necessary security controls shows these
organizations that your organization can demonstrate due diligence with respect to
compliance.
Preventative measure to take a more proactive incident response by conducting
operational threat hunting exercises to find incidents occurring within your
environment.

Incident Response Training and Team Management

Preventative measures are for NIL if your team does not have the right training, skills,
or knowledge of incident response best practices.
Once your team is fully trained and understands the nuances of your security incident
management plan, it’s time to appoint a team leader who will have overall
responsibility for responding to the incident.
This person will essentially be the liaison between the incident response team and
management as well as the person carrying out the plan so make sure to choose this
individual wisely and give them the tools to quickly and effectively communicate and
respond if/when the time comes.

Detect, Pinpoint, and Report the Source

A recent survey found that 22 percent of organizations (more than one in five) said
they have limited resources to respond to a security incident.
Detection of potential security incidents may call for your team to monitor firewalls,
intrusion prevention systems, and data loss prevention using a SIEM solution. Once
an incident is detected, your team can create an incident ticket and document their
initial findings. From there, a team member is assigned to classify the incident for
regulatory reporting escalation purposes.
Once your team has identified the cause of the breach, they should make sure that
it’s contained or can be contained quickly. If file integrity is beginning to fail, then you
need to have an anti-malware program detect which files (if any) have been altered
and work towards remediating the incident. Following remediation completion, the
details of the incident should be logged for audit-related purposes 
Assess the Damage via Analytics

It’s time to review the accumulated data to understand if the incident was driven by a
successful external attacker or malicious insider.  The data will reveal how severe the
incident was and how your team responded according to the threat level attack.
Depending on the comprehensive nature of your investigation, you may be able to
divulge if the hacker performed a web application layer intrusion, a SQL Injection
attack, or even hijack a web server to take control of your critical backend systems.

Contain and neutralize the indicators of compromise (IOC)

Once your system has been alleviated of all traces of IOC damage, perform a
coordinated shutdown of all devices connected to your network. Your next step is
to install all pertinent security patches that help to resolve all malware issues and
network vulnerabilities. If you find that specific accounts have been compromised
(especially ones with administrator access), make sure to change all pertinent
passwords to stymie the hacker’s access.
If you have identified an IP address that your threat actor had been using to carry out
their attack, make sure to issue threat mitigation requests to block the
communication from all egress channels connected to this IP.

Post-Incident Activity

After using your data intelligence to update your security incident management plan,
make sure to bolster those efforts by monitoring activities post-incident (threat
actors often hit the same target multiple times). If any data has been stolen during
the incident, make sure that you immediately notify the affected parties in a timely
fashion that is in line with regulatory body requirements. 
Make sure you properly document all information that may be of use to combat
future incidents.

Preventing the Same Type of Incident in the Future

A security incident management plan isn’t the end-all solution to handle your cyber
threats; it’s merely a guide that will keep you more organized and consistent with
your incident response efforts.
If the cause of the incident stemmed from your systems being out of date, it would
be in your best interest to patch any server vulnerabilities quickly. If the quality of
your team’s response led to the incident getting out of hand, then make sure to
prioritize training your employees on how to avoid phishing scams, or rolling out
technologies to better monitor insider threats.