Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore the system to normal service operations as soon as possible, and prevent further recurrence of the incident. It involves not only responding to incidents, but also triggering alerts to prevent potential risks and threats. Security administrator must identify software that is open to attacks before someone takes advantage of the vulnerabilities.
Incident management includes the following:
– Vulnerability analysis
– Artifact analysis
– Security awareness training
– Intrusion detection
– Public or technology monitoring The
purpose of the incident management process:
– Reduces impact of incidents on business/organization
– Meets service availability requirements
– Increases staff efficiency and productivity
– Improves user/customer satisfaction
– Assists in handling future incidents
– Improves service quality
Conducting training sessions to spread awareness among users is an important part of incident management. They help end users better recognize suspicious events or incidents with ease, and be able to report an attacker’s behavior to the appropriate authority.
The following people perform incident management activities:
1. Human resources personnel can take steps to fire employees suspected in harmful computer activities.
2. Legal counsel sets the rules and regulations in an organization. These rules can influence the internal security policies and practices of the organization in case an insider or an attacker uses the organization’s system for harmful or malicious activities.
3.The firewall manager keeps filters in place where denial-of-service attacks are made frequently.
4.An outsourced service provider repairs system infected by viruses and malware.
Incident response is one of the functions performed in incident handling. Incident handling is one of the services provided as part of incident management. The diagram in the slide illustrates the relationship between incident response, incident handling, and incident management.
Incident Management Process
Incident management is the process of logging, recording, and resolving incidents that take place in the organization. The incident may occur due to fault, service degradation, error, and so on. The users, technical staff, and/or event monitoring tools identify the incidents. The main objective of the incident management process is to restore the service to a normal state as quickly as possible for customers, while maintaining availability and quality of service.
Steps involved in the incident management process;
Preparation for Incident Handling and Response
All the actions are pre-planned and detailed guidelines are provided to the employees at this step. Various policies and procedures are established to stay well equipped. Right people with appropriate skills are trained by providing tools to ensure effective response actions.
Detection and Analysis
In this step, security events are monitored and carefully analyzed using firewalls, intrusion detection and prevention systems, etc. Detection and analysis of incidents include identifying signatures of an incident, analyzing those signatures, recording the incident, prioritizing various incidents and alerting incidents.
Classification and Prioritization
Each incident is categorized and sub-categorized to troubleshoot the incident securely. It helps in saving a lot of time. Accurate categorization helps to allocate the management to the right team that has the appropriate knowledge and skills to handle the situation in real time. Moreover, depending on the impact of incident, events are classified as a low, medium or high priority incident. Prioritization is done based on the severity, urgency, resource requirement, potential cost, etc.
After the incident has been identified and classified, suitable people and teams are notified about the problem. People having appropriate knowledge and training against the breach are employed to consider the situation and perform all the required actions at the right time. All the required people, including the third party, the ?O, Head of Information Security and Local Information Security Officer, etc. are provided with regular status updates.
Containment is a crucial step in the incident management process that focuses on preventing additional damage. It includes planning of strategies to avoid any further loss from taking place along with being assured that no forensic evidence is destructed or tempered related to the incident.
Two important aspects need to be taken care of and they are:
• Ensuring all the critical and essential computer resources are kept and protected at a
• Regular check on infected system is done to know their operational status.
– Forensic Investigation
Forensic investigation is performed to find the root cause of the incident to know what exactly happened to the information system. The analysis of past records is performed using various forensic tools to detect the source of the attack and to capture the culprit. The whole process is well documented, as it is required in case of external threats for law enforcement. System logs, real-time memory, network device logs, application logs and all other supporting data are scanned and reviewed during investigation.
– Eradication and Recovery
The eradication and recovery step is the process of recovering the system or network to its original state. This process is done only after the completion of all internal and external actions. The two important aspects of this step are cleanup and notification. Cleanup is performed using various antivirus software’s, uninstalling infected software, reloading the operating system, and also sometimes replacing the entire hard disk and rebuilding the network. All the professionals working with the incident response team are notified about the actions taken to recover the system or network.