The ultimate goal of an incident response program is not only to effectively contain a single incident, but to start modeling the techniques of an attack. Incident response is based on an approach that detects and enumerates the steps taken by an attacker to compromise a system.
The incident response team then uses this information to drive future incident response activities. In this model, a behavior that may have seemed benign before analysis can act as a predictive indicator of a larger attack.
Building an incident response framework allows an organization to bring in vast quantities of enterprise and security data; build relationships among that data; and present it in a single, unified workflow. This workflow presents both the business and technical information in a single view. Analysts can spend much less time learning individual security control technologies and much more time analyzing, finding patterns, and making response decisions.
The key concepts to a successful incident response program are as follows:
- Act on what you can manage—execute on what you know how to respond to effectively.
- There is no boilerplate security policy that works for an organization all the time, outside of regulatory requirements. Remember—business processes define policy, not vice versa.
- Security monitoring is an essential and foundational aspect of any incident response program.