Threat Intelligence

6 Security Incident Management Framework

1.Security incident management is the process of identifying, managing, recording and
analyzing security threats or incidents in real-time.
2.It seeks to give a robust and comprehensive view of any security issues within an
IT infrastructure.
3.A security incident can be anything from an active threat to an attempted intrusion to
a
successful compromise or data breach.
4. Policy violations and unauthorized access to data such as health, financial, social
security numbers, and personally identifiable records are all examples of security
incidents.
 Threat Intelligence
6.1.Security Incident Response Framework:
•It consists of four key elements :
-Roles and Responsibilities
-Incident Management Information
-Incident Management Tools
-Information Security Incident Management Policy
•The purpose of the framework is to ensure the availability of resources that are required
to help resolve information security incidents quickly and effectively.

Security Information Management Framework

 Threat Intelligence
A number of standards are relevant to the implementation of security incident
management, including the following:
•ISO 27002, Code of Practice for Information Security Controls:
-Provides a comprehensive checklist of management practices for incident response.
•ISO 27035-1, Information Security Incident Management—Part 1:
-It presents basic concepts and phases of information security incident management.
-It improves incident management.
-It combines these concepts with principles in a structured approach for detecting,
reporting, assessing, and responding to incidents and applying lessons learned.
 Threat Intelligence
•ISO 27035-2, Information Security Incident Management—Part 2:
-Guidelines to plan and prepare for incident response:
-It describes how to plan and prepare for incident response.
-It provides a very detailed discussion of what should go into an information
security incident management plan.
•ITU-T X.1056, Security Incident Management Guidelines for Telecommunications
Organizations:
-It provides practical guidance on how to respond to incidents effectively and
efficiently.
•NIST SP 800-61, Computer Security Incident Handling Guide:
-It provides detailed guidance for planning, managing, and implementing
an incident response plan.
•RFC 2350, Expectations for Computer Security Incident Response:
-It describes issues and requirements for managing incident response.
 Threat Intelligence
6.2.Objectives of Incident Management:
• ISO 27035-1 lists the following as the objectives for security incident management:
-Information security events are detected and dealt with efficiently, in particular
deciding when they are to be classified as information security incidents.
-Identified information security incidents are assessed and responded to in the most
appropriate and efficient manner.
-The adverse effects of information security incidents on the organization and its
operations are minimized by appropriate controls as part of incident response.
- A link is established with relevant elements from crisis management and business
continuity management through an escalation process.
 Threat Intelligence
6.2.Objectives of Incident Management:
•Information security vulnerabilities are assessed and dealt with appropriately to prevent or
reduce incidents.
•Lessons are learned quickly from information security incidents, vulnerabilities, and their
management.
•This feedback mechanism increases the chances of preventing future
information security incidents from occurring, improves the implementation and use of
information security controls, and improves the overall information security incident
management plan.
 Threat Intelligence

6.2.Relationship to Information Security Management System

Security Incident Management in Relation to ISMS and Applied Controls

 Threat Intelligence
6.3.Relationship to Information Security Management System
• The above figure indicates the relationship between information security incident
management and an information security management system (ISMS).
•The upper part of the figure, bounded by dashed lines, illustrates the relationships
among objects in an information security incident.
• A threat causes a security event by exploiting a vulnerability, which enables the
threat to create the event
• The event is potentially an incident that impacts information assets exposed
by vulnerabilities and compromises(expose operations to threat) the operations
supported by the information assets.
•In the upper part of the figure, the shaded objects are preexisting and affected by
the unshaded objects.
 Threat Intelligence

Information Security Management System Element

 Threat Intelligence
6.4.Incident Management Policy:
Essential to successful incident management including the following topics:
• A specification of internal and external interested parties
• An agreed-on definition of incident and guidelines to identify a security incident
• A definition of incident response/handling and its overall objectives and scope
• A statement of management intent, supporting the goals and principles of incident
response/handling
• A brief explanation of the incident response/handling policies, principles, standards, and
compliance(combatable with) requirements that are of particular importance to the
enterprise.
• A definition of general and specific responsibilities for incident response/handling, including
handling of evidence and reporting .
• References to documentation that supports the policy, such as detailed incident
response/handling, incident triage(sorting), and computer forensic policies and procedures.
• User awareness training pertaining to incident identification and reporting.
• Metrics for measuring the incident response capability and its effectiveness .
 Threat Intelligence
6.5.Incident Management Policy:
• Identification of an incident and response (for example, quarantine)
- shutdown containment: Containment is a part of incident response
-Quarantine is a special isolated folder on a machine's hard disk where the suspicious
files detected by Antivirus
• Acquisition of volatile and static data.
• Retention(keeping) and analysis of data.
• Remediation.
• Referral (redirect)to law enforcement
• Handling of forensic data
• Escalation of incidents
• Reporting of findings
• Definition of the learning process from incidents to upgrade systems and processes
 Threat Intelligence
6.6.Roles and Responsibilities
1.The information security incident management framework defines the roles and
responsibilities of the information security incident management team and others
involved in responding to incidents:
•Detecting and reporting information security events.
•Assessing and responding to information security events and incidents and being
involved in post-incident resolution activities:
-learning.
-improving information security.
-improving information security incident management plan itself.
•These activities are the responsibility of members of :
-the point of contact team.
-the incident response team, management, public relations personnel, and legal
representatives.
•Reporting information security vulnerabilities and dealing with them.
 Threat Intelligence
6.6.Roles and Responsibilities
2.Skills of Formal Information Security Incident Response Team(IRT)
• Understanding of known threats, attack signatures, and vulnerabilities.
• Understanding of the enterprise network, security infrastructure, and platforms .
• Experience in security response and/or troubleshooting techniques .
• Experience in forensic techniques and best practices .
• Understanding of regulations and laws as they pertain to privacy and disclosure and evidentiary requirements.
• Understanding of systems, threats, and vulnerabilities, and remediation methods in their area of business responsibility.
3. Part-time or liaison members of the IRT should be well versed in:
• Information technology
• Information security
• Corporate communications
• Human resources
• Legal
• Business unit management and technology specialists
• Corporate security (including physical security)
 Threat Intelligence
6.7.Incident Management Information:
1.The information security incident management framework is responsible for detailing
the types of information needed to assist information security incident management.
2. Information Types Required for Incident Management as Suggested by Security
Growth Partners(SGP):
•Contact details for relevant parties, such as business managers, technical experts (such
as those in a security operations center [SOC] or equivalent), and external suppliers.
• Security-related event logs (for example, those produced by applications, systems,
network devices, and security products)
•Details about affected business environments, such as processes, operations, and
applications.
•Technical details, such as network diagrams, system configurations, and external
network connections.
•Threat intelligence and the results of threat analysis.
 Threat Intelligence
6.8.Incident Management Tools
1.The information security information management framework specifies:
the tools needed to assist information security incident management:
•Checklists.
•e-discovery software.
• log analyzers.
• incident tracking software.
• forensic analysis software.
•Security information and event management( SIEM)
•Information Systems Audit and Control Association(ISACA)
 Threat Intelligence
6.8.Incident Management Tools
1. Business Benefits and Security, Governance and Assurance Perspectives:
• Data collection: In a typical use case, a SIEM solution must be able to touch a number
of different systems: firewalls, proxy servers, databases, intrusion detection and
prevention systems, operating systems, routers, switches, access control systems, and
so on. Some of these share similar logging and alert functions, but frequently there is
significant variation in the format, protocol, and information provided.
• Data aggregation: The aggregator serves as a consolidating resource before data is
sent to be correlated or retained.
• Data normalization: Normalization is the process of resolving different representations
of the same types of data into a similar format in a common database.
• Correlation: Event correlation is the function of linking multiple security events or
alerts, typically within a given time window and across multiple systems, to identify
anomalous activity that is not evident from any singular event.
 Threat Intelligence
6.8.Incident Management Tools
1. Business Benefits and Security, Governance and Assurance Perspectives:
• Alerting: When data that trigger certain responses (such as alerts or potential security
problems) are gathered or identified, SIEM tools activate certain protocols to alert
users, such as notifications sent to the dashboard, an automated email, or text message.
• Reporting/compliance: Protocols in a SIEM are established to automatically collect
data necessary for compliance with company, organizational, and government policies.
Both custom reporting and report templates (generally for common regulations such as
the Payment Card Industry Data Security Standard [PCI DSS] and the U.S. Sarbanes-
Oxley Act) are typically part of a SIEM solution.
6.8.Incident Management Tools
Threat Intelligence
1. Business Benefits and Security, Governance and Assurance Perspectives:
• Forensics: The ability to search log and alert data for indicators of malicious or
otherwise anomalous activities is the forensic function of the SIEM.
•Forensics is supported by:
-event correlation.
-normalization processes.
•Forensics requires:
-highly customizable and detailed query capabilities.
-drill-down access to raw log files.
-Archival data.
•These technologies greatly enhance the investigative capabilities of security analysts, just
as data collection, aggregation, and correlation technologies enhance their ability to
detect and respond to real-time events.
•Retention: Data need to be stored for long periods so that decisions can be made based
on more complete data sets.
•Dashboards: They are used to analyze and visualize data in an attempt to recognize