The Battle Plan
The key to a solid threat detection and management program is to have a clear process map charted out highlighting roles and responsibilities.
For example, once you identify a use case for your SIEM, the next question is: a) What are the steps for a successful incident response?
The Intricacies Of A Good Process
Such a process that must be documented and well understood by each team member that’s part of your response strategy, however, it is good practice to document the response steps within your use cases documentation. A typical incident response cycle looks like this:
Use cases should be considered part of the preparation for incidents and the identification will be part of the alerts created for that specific use case. The identification phase will typically lead to an investigation process that could be already documented in your use case, allowing your security analysts to know where to start and which steps to follow. Your use case should include containment steps, such as filtering access in your proxy or temporarily locking a user account in the domain, etc. The more specific you are, the better the response will be.
You could use a separate plan that takes care of all of the steps following the containment. For example, after the containment is done, we usually follow up with the eradication of the incident by removing a virus or the threat that generated the incident in the first place. In some cases, you should also outline the containment steps in the use case documents.
There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Our SIEM Best Practices White Paper gives you a clear roadmap. We invite you to get in touch with us to learn how we can help maximize the return on investment of your security program.