Incident identification

What defines an incident?

• Event that requires a response

• Should already be defined in policy

• Usually adverse with negative impact

  • The real question is, how do we identify when they happen?

Sources of incident notification

End users

Most common source, but not always reliable. I.e., some events are just events and not incidents

Log sources

SIEM solutions, IDS, firewalls, HIPS. Volume can be overwhelming

• Machine learning, deep learning and AI will help

Notification from outside entities, such as law enforcement

Things to look out for

Make sure the identification process is sufficient

• Too loose and everything is an incident

• Too tight and you miss critical events

Allow room for identifying new incidents

Just because it's not defined doesn't mean it's not an incident

Some of the more devastating incidents are "new" ones

Maintain scope and focus

Identifying the incident and move on to classification

• Don't try to do containment at this stage!

How incidents are detected

• Law enforcement

• Internal detection/DLP

• Third-party consultants/vendors

• Exfiltrated data disclosed (internet or dark web)

  • Worst-case scenario?