search

Incident identification

hashtag
What defines an incident?

  • Event that requires a response

  • Should already be defined in policy

  • Usually adverse with negative impact

    • The real question is, how do we identify when they happen?

hashtag
Sources of incident notification

hashtag
End users

Most common source, but not always reliable. I.e., some events are just events and not incidents

hashtag
Log sources

SIEM solutions, IDS, firewalls, HIPS. Volume can be overwhelming

  • Machine learning, deep learning and AI will help

Notification from outside entities, such as law enforcement

hashtag
Things to look out for

Make sure the identification process is sufficient

  • Too loose and everything is an incident

  • Too tight and you miss critical events

hashtag
Allow room for identifying new incidents

Just because it's not defined doesn't mean it's not an incident

Some of the more devastating incidents are "new" ones

hashtag
Maintain scope and focus

Identifying the incident and move on to classification

  • Don't try to do containment at this stage!

hashtag
How incidents are detected

  • Law enforcement

  • Internal detection/DLP

  • Third-party consultants/vendors

  • Exfiltrated data disclosed (internet or dark web)

    • Worst-case scenario?

PreviousIncident Response assets inventory and identificationNextIncident Response classification levels

Last updated