As a part of our SIEM Best Practices Series, today we look at how you can work towards building an incident response plan with actions, using curated and subjective user-cases for your company. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
The Battle Plan
The key to the implementation of any threat detection and management plan is to have a clear process map charted out highlighting reactions and responsibilities if and when the situation asks for it.
For example, once you identify a use case for your SIEM, the next question is, what are you going to do if an incident happens? What are the steps for a successful incident response?
The Intricacies Of A Good Process
Such a process that must be documented and well understood by each team member that’s part of your response strategy, however, it is good practice to document the response steps within your use cases documentation. A typical incident response cycle looks like this:
Use cases would be considered part of the preparation for incidents and the identification will be part of the alerts created for that specific use case. The identification phase will typically lead to an investigation process that could be already documented in your use case, allowing your security analysts to know where to start and which steps to follow. Your use case should include containment steps, such as filtering access in your proxy or temporarily locking a user account in the domain, etc. The more specific you are, the better the deployment will be.
For all of the steps following the containment, you could rely on a separate plan that takes care of it. For example, after the containment is done, we usually follow with the eradication of the incident by removing a virus or the threat that generated the incident in the first place. In some cases, you should also outline the containment steps in the use case documents.
Such an alignment is an ongoing process that will reap results in the medium and long term. But, we’re just scratching the surface There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Which is why we recently released our SIEM Best Practices White Paper to allow you to set-up/revise your SIEM System. Click here to access your free copy.
Solutions for a fast-paced and large enterprise may need tailored consultation and improvisation, beyond what can be conveyed in a whitepaper. We invite you to get in touch with us to know how we can help maximize the benefits of your security efforts.