1.Security incident management is the process of identifying, managing, recording and analyzing security threats or incidents in real-time. 2.It seeks to give a robust and comprehensive view of any security issues within an IT infrastructure. 3.A security incident can be anything from an active threat to an attempted intrusion to a successful compromise or data breach. 4. Policy violations and unauthorized access to data such as health, financial, social security numbers, and personally identifiable records are all examples of security incidents. Threat Intelligence 6.1.Security Incident Response Framework: •It consists of four key elements : -Roles and Responsibilities -Incident Management Information -Incident Management Tools -Information Security Incident Management Policy •The purpose of the framework is to ensure the availability of resources that are required to help resolve information security incidents quickly and effectively.
Security Information Management Framework
Threat Intelligence A number of standards are relevant to the implementation of security incident management, including the following: •ISO 27002, Code of Practice for Information Security Controls: -Provides a comprehensive checklist of management practices for incident response. •ISO 27035-1, Information Security Incident Management—Part 1: -It presents basic concepts and phases of information security incident management. -It improves incident management. -It combines these concepts with principles in a structured approach for detecting, reporting, assessing, and responding to incidents and applying lessons learned. Threat Intelligence •ISO 27035-2, Information Security Incident Management—Part 2: -Guidelines to plan and prepare for incident response: -It describes how to plan and prepare for incident response. -It provides a very detailed discussion of what should go into an information security incident management plan. •ITU-T X.1056, Security Incident Management Guidelines for Telecommunications Organizations: -It provides practical guidance on how to respond to incidents effectively and efficiently. •NIST SP 800-61, Computer Security Incident Handling Guide: -It provides detailed guidance for planning, managing, and implementing an incident response plan. •RFC 2350, Expectations for Computer Security Incident Response: -It describes issues and requirements for managing incident response. Threat Intelligence 6.2.Objectives of Incident Management: • ISO 27035-1 lists the following as the objectives for security incident management: -Information security events are detected and dealt with efficiently, in particular deciding when they are to be classified as information security incidents. -Identified information security incidents are assessed and responded to in the most appropriate and efficient manner. -The adverse effects of information security incidents on the organization and its operations are minimized by appropriate controls as part of incident response. - A link is established with relevant elements from crisis management and business continuity management through an escalation process. Threat Intelligence 6.2.Objectives of Incident Management: •Information security vulnerabilities are assessed and dealt with appropriately to prevent or reduce incidents. •Lessons are learned quickly from information security incidents, vulnerabilities, and their management. •This feedback mechanism increases the chances of preventing future information security incidents from occurring, improves the implementation and use of information security controls, and improves the overall information security incident management plan. Threat Intelligence
6.2.Relationship to Information Security Management System
Security Incident Management in Relation to ISMS and Applied Controls
Threat Intelligence 6.3.Relationship to Information Security Management System • The above figure indicates the relationship between information security incident management and an information security management system (ISMS). •The upper part of the figure, bounded by dashed lines, illustrates the relationships among objects in an information security incident. • A threat causes a security event by exploiting a vulnerability, which enables the threat to create the event • The event is potentially an incident that impacts information assets exposed by vulnerabilities and compromises(expose operations to threat) the operations supported by the information assets. •In the upper part of the figure, the shaded objects are preexisting and affected by the unshaded objects. Threat Intelligence
Information Security Management System Element
Threat Intelligence 6.4.Incident Management Policy: Essential to successful incident management including the following topics: • A specification of internal and external interested parties • An agreed-on definition of incident and guidelines to identify a security incident • A definition of incident response/handling and its overall objectives and scope • A statement of management intent, supporting the goals and principles of incident response/handling • A brief explanation of the incident response/handling policies, principles, standards, and compliance(combatable with) requirements that are of particular importance to the enterprise. • A definition of general and specific responsibilities for incident response/handling, including handling of evidence and reporting . • References to documentation that supports the policy, such as detailed incident response/handling, incident triage(sorting), and computer forensic policies and procedures. • User awareness training pertaining to incident identification and reporting. • Metrics for measuring the incident response capability and its effectiveness . Threat Intelligence 6.5.Incident Management Policy: • Identification of an incident and response (for example, quarantine) - shutdown containment: Containment is a part of incident response -Quarantine is a special isolated folder on a machine's hard disk where the suspicious files detected by Antivirus • Acquisition of volatile and static data. • Retention(keeping) and analysis of data. • Remediation. • Referral (redirect)to law enforcement • Handling of forensic data • Escalation of incidents • Reporting of findings • Definition of the learning process from incidents to upgrade systems and processes Threat Intelligence 6.6.Roles and Responsibilities 1.The information security incident management framework defines the roles and responsibilities of the information security incident management team and others involved in responding to incidents: •Detecting and reporting information security events. •Assessing and responding to information security events and incidents and being involved in post-incident resolution activities: -learning. -improving information security. -improving information security incident management plan itself. •These activities are the responsibility of members of : -the point of contact team. -the incident response team, management, public relations personnel, and legal representatives. •Reporting information security vulnerabilities and dealing with them. Threat Intelligence 6.6.Roles and Responsibilities 2.Skills of Formal Information Security Incident Response Team(IRT) • Understanding of known threats, attack signatures, and vulnerabilities. • Understanding of the enterprise network, security infrastructure, and platforms . • Experience in security response and/or troubleshooting techniques . • Experience in forensic techniques and best practices . • Understanding of regulations and laws as they pertain to privacy and disclosure and evidentiary requirements. • Understanding of systems, threats, and vulnerabilities, and remediation methods in their area of business responsibility. 3. Part-time or liaison members of the IRT should be well versed in: • Information technology • Information security • Corporate communications • Human resources • Legal • Business unit management and technology specialists • Corporate security (including physical security) Threat Intelligence 6.7.Incident Management Information: 1.The information security incident management framework is responsible for detailing the types of information needed to assist information security incident management. 2. Information Types Required for Incident Management as Suggested by Security Growth Partners(SGP): •Contact details for relevant parties, such as business managers, technical experts (such as those in a security operations center [SOC] or equivalent), and external suppliers. • Security-related event logs (for example, those produced by applications, systems, network devices, and security products) •Details about affected business environments, such as processes, operations, and applications. •Technical details, such as network diagrams, system configurations, and external network connections. •Threat intelligence and the results of threat analysis. Threat Intelligence 6.8.Incident Management Tools 1.The information security information management framework specifies: the tools needed to assist information security incident management: •Checklists. •e-discovery software. • log analyzers. • incident tracking software. • forensic analysis software. •Security information and event management( SIEM) •Information Systems Audit and Control Association(ISACA) Threat Intelligence 6.8.Incident Management Tools 1. Business Benefits and Security, Governance and Assurance Perspectives: • Data collection: In a typical use case, a SIEM solution must be able to touch a number of different systems: firewalls, proxy servers, databases, intrusion detection and prevention systems, operating systems, routers, switches, access control systems, and so on. Some of these share similar logging and alert functions, but frequently there is significant variation in the format, protocol, and information provided. • Data aggregation: The aggregator serves as a consolidating resource before data is sent to be correlated or retained. • Data normalization: Normalization is the process of resolving different representations of the same types of data into a similar format in a common database. • Correlation: Event correlation is the function of linking multiple security events or alerts, typically within a given time window and across multiple systems, to identify anomalous activity that is not evident from any singular event. Threat Intelligence 6.8.Incident Management Tools 1. Business Benefits and Security, Governance and Assurance Perspectives: • Alerting: When data that trigger certain responses (such as alerts or potential security problems) are gathered or identified, SIEM tools activate certain protocols to alert users, such as notifications sent to the dashboard, an automated email, or text message. • Reporting/compliance: Protocols in a SIEM are established to automatically collect data necessary for compliance with company, organizational, and government policies. Both custom reporting and report templates (generally for common regulations such as the Payment Card Industry Data Security Standard [PCI DSS] and the U.S. Sarbanes- Oxley Act) are typically part of a SIEM solution. 6.8.Incident Management Tools Threat Intelligence 1. Business Benefits and Security, Governance and Assurance Perspectives: • Forensics: The ability to search log and alert data for indicators of malicious or otherwise anomalous activities is the forensic function of the SIEM. •Forensics is supported by: -event correlation. -normalization processes. •Forensics requires: -highly customizable and detailed query capabilities. -drill-down access to raw log files. -Archival data. •These technologies greatly enhance the investigative capabilities of security analysts, just as data collection, aggregation, and correlation technologies enhance their ability to detect and respond to real-time events. •Retention: Data need to be stored for long periods so that decisions can be made based on more complete data sets. •Dashboards: They are used to analyze and visualize data in an attempt to recognize