vPLfv

More documents

Recommendations

Info

3.4 Guide to Reading the Incident Management Process Maps....................42 3.4.1 Workflow Diagrams.....................................................................42 3.4.2 Workflow Descriptions.................................................................46 4 Incident Management Process Workflows and Descriptions ....................49 4.1 Overview ................................................................................................49 4.2 Incident Management .............................................................................50 4.2.1 PC: Prepare/Sustain/Improve Process (Prepare) ........................54 4.2.1.1 PC: Prepare/Sustain/Improve Workflow Diagram .........56 4.2.1.2 PC: Prepare/Sustain/Improve Workflow Description.....58 4.2.1.3 Handoff from Any Activity Inside or Outside CSIRT Process to PC: Prepare/Sustain/Improve .....................68 4.2.1.4 Handoff from PC: Prepare/Sustain/Improve to PI: Protect Infrastructure ................................................................72 4.2.2 PI: Protect Infrastructure Process (Protect) .................................76 4.2.2.1 PI: Protect Infrastructure Workflow Diagram.................80 4.2.2.2 PI: Protect Infrastructure Workflow Description.............82 4.2.2.3 Handoff from Any Activity Inside or Outside CSIRT Process to PI: Protect Infrastructure .............................86 4.2.2.4 Handoff from PI: Protect Infrastructure to D: Detect Events ..........................................................................90 4.2.3 D: Detect Events Process ...........................................................94 4.2.3.1 Reactive Detection .......................................................94 4.2.3.2 Proactive Detection ......................................................94 4.2.3.3 Detect Events Details ...................................................95 4.2.3.4 D: Detect Events Workflow Diagram.............................98 4.2.3.5 D: Detect Events Workflow Description ......................100 4.2.3.6 Handoff from Any Activity Inside or Outside of the Organization to D: Detect Events................................104 4.2.3.7 Handoff from D: Detect Events to T: Triage Events ....108 4.2.4 T: Triage Events (Triage) Process .............................................112 4.2.4.1 T: Triage Events Workflow Diagram ...........................116 4.2.4.2 T: Triage Events Workflow Description.......................118 4.2.4.3 Handoff from T: Triage Events to R: Respond ............122 4.2.5 R: Respond Process .................................................................128 4.2.5.1 Technical Response...................................................128 4.2.5.2 Management Response .............................................129 4.2.5.3 Legal Response .........................................................129 4.2.5.4 Coordination of Response Activities ...........................129 4.2.5.5 R: Respond Workflow Diagram ..................................132 4.2.5.6 R: Respond Workflow Description ..............................134 4.2.5.7 Handoff from R: Respond to PC: Prepare/Sustain/Improve............................................140 ii CMU/SEI-2004-TR-015
4.2.5.8 R1: Respond to Technical Issues Workflow Diagram...................................................... 144 4.2.5.9 R2: Respond to Management Issues Workflow Diagram...................................................... 148 4.2.5.10 R3: Respond to Legal Issues Workflow Diagram ....... 152 5 Future Work................................................................................................. 157 Bibliography ....................................................................................................... 161 Appendix A: Context for Each of the Process Workflows........................ A-1 Appendix B: Acronyms................................................................................ B-1 Appendix C: Glossary.................................................................................. C-1 Appendix D: One-Page Versions of the Process Workflow Diagrams ..... D-1 Incident Management Workflow Diagram ................................. D-2 PC: Prepare/Sustain/Improve Workflow Diagram ..................... D-3 PI: Protect Infrastructure Workflow Diagram............................. D-4 D: Detect Events Workflow Diagram......................................... D-5 T: Triage Events Workflow Diagram ......................................... D-6 R: Respond Workflow Diagram ................................................ D-7 R1: Respond to Technical Issues Workflow Diagram ............... D-8 R2: Respond to Management Issues Workflow Diagram.......... D-9 R3: Respond to Legal Issues Workflow Diagram.................... D-10 Appendix E: One-Page Versions of the Process Workflow Descriptions and Handoffs .......................................................................... E-1 PC: Prepare/Sustain/Improve ................................................... E-2 Handoff from Any Activity Inside or Outside CSIRT Process to PC: Prepare/Sustain/Improve.......................................................... E-7 Handoff from PC: Prepare/Sustain/Improve to PI: Protect Infrastructure ............................................................................ E-8 PI: Protect Infrastructure Workflow Description......................... E-9 Handoff from Any Activity Inside or Outside CSIRT Process to PI: Protect Infrastructure...............................................................E-11 Handoff from PI: Protect Infrastructure to D: Detect Events.....E-12 Detect Events Workflow Description........................................E-13 Handoff from Any Activity Inside or Outside of the Organization to D: Detect Events .....................................................................E-15 Handoff from D: Detect Events to T: Triage Events .................E-16 T: Triage Events Workflow Description....................................E-17 Handoff from T: Triage Events to R: Respond .........................E-19 Respond Process Workflow Description..................................E-21 Handoff from R: Respond to PC: Prepare/Sustain/ Improve ....E-24 CMU/SEI-2004-TR-015 iii
Page 1: Defining Incident Management Proces
Page 4 and 5: This report was prepared for the SE
Page 8 and 9: iv CMU/SEI-2004-TR-015
Page 10 and 11: vi CMU/SEI-2004-TR-015
Page 12 and 13: viii CMU/SEI-2004-TR-015
Page 14 and 15: of such benchmarking can help an or
Page 16 and 17: xii CMU/SEI-2004-TR-015
Page 18 and 19: • Pamela Curtis - for guiding us
Page 20 and 21: xvi CMU/SEI-2004-TR-015
Page 22 and 23: division level handle security even
Page 24 and 25: Figure 1: CSIRT Services Figure 2 i
Page 26 and 27: • the firewall manager, who puts
Page 28 and 29: 1.4 A Process Model for Incident Ma
Page 30 and 31: This report documents and defines t
Page 32 and 33: This report can also be a useful re
Page 34 and 35: e a brief description of the proces
Page 36 and 37: • integrate into the existing pro
Page 38 and 39: − reassign events to areas outsid
Page 40 and 41: Table 1 Review of Incident Manageme
Page 42 and 43: processes called Respond. These are
Page 44 and 45: quality information technology (IT)
Page 46 and 47: keep production systems running and
Page 48 and 49: Most of the workflow diagrams have
Page 50 and 51: • single points of failure You ca
Page 52 and 53: Table 2: Detect Events Workflow Exa
Page 54 and 55: 2.6 Getting Started Although this r
Page 56 and 57:
36 CMU/SEI-2004-TR-015
Page 58 and 59:
• make other improvements The ste
Page 60 and 61:
mation. Understanding interrelation
Page 62 and 63:
3.4 Guide to Reading the Incident M
Page 64 and 65:
Symbol Meaning Example Line initiat
Page 66 and 67:
If event is reassigned outside of i
Page 68 and 69:
Table 5: Information Category Missi
Page 70 and 71:
The rest of this section presents a
Page 72 and 73:
CSIRT process needs From any activi
Page 74 and 75:
4.2.1 PC: Prepare/Sustain/Improve P
Page 76 and 77:
4.2.1.1 PC: Prepare/Sustain/Improve
Page 78 and 79:
4.2.1.2 PC: Prepare/Sustain/Improve
Page 80 and 81:
Subprocess Subprocess Requirements
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
4.2.1.3 Handoff from Any Activity I
Page 90 and 91:
Table 7: Handoff from Any Activity
Page 92 and 93:
4.2.1.4 Handoff from PC: Prepare/Su
Page 94 and 95:
Table 8: Handoff from PC: Prepare/S
Page 96 and 97:
4.2.2 PI: Protect Infrastructure Pr
Page 98 and 99:
• Securing Networks Systematicall
Page 100 and 101:
4.2.2.1 PI: Protect Infrastructure
Page 102 and 103:
4.2.2.2 PI: Protect Infrastructure
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
4.2.2.4 Handoff from PI: Protect In
Page 112 and 113:
Table 11: Handoff from PI: Protect
Page 114 and 115:
4.2.3 D: Detect Events Process The
Page 116 and 117:
• CSIRT Services http://www.cert.
Page 118 and 119:
4.2.3.4 D: Detect Events Workflow D
Page 120 and 121:
4.2.3.5 D: Detect Events Workflow D
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
4.2.3.7 Handoff from D: Detect Even
Page 130 and 131:
Table 14: Handoff from D: Detect Ev
Page 132 and 133:
4.2.4 T: Triage Events (Triage) Pro
Page 134 and 135:
what format it should be passed. Th
Page 136 and 137:
4.2.4.1 T: Triage Events Workflow D
Page 138 and 139:
4.2.4.2 T: Triage Events Workflow D
Page 140 and 141:
Page 142 and 143:
4.2.4.3 Handoff from T: Triage Even
Page 144 and 145:
Table 16: Handoff from T: Triage Ev
Page 146 and 147:
Technology-to-Person Handoff Handof
Page 148 and 149:
4.2.5 R: Respond Process The Respon
Page 150 and 151:
cedures, and plans associated with
Page 152 and 153:
4.2.5.5 R: Respond Workflow Diagram
Page 154 and 155:
4.2.5.6 R: Respond Workflow Descrip
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
4.2.5.7 Handoff from R: Respond to
Page 162 and 163:
Table 18: Handoff from R: Respond t
Page 164 and 165:
4.2.5.8 R1: Respond to Technical Is
Page 166 and 167:
Technical information Technical res
Page 168 and 169:
4.2.5.9 R2: Respond to Management I
Page 170 and 171:
Management information Management r
Page 172 and 173:
4.2.5.10 R3: Respond to Legal Issue
Page 174 and 175:
External communication with others
Page 176 and 177:
156 CMU/SEI-2004-TR-015
Page 178 and 179:
• develop more user-friendly guid
Page 180 and 181:
160 CMU/SEI-2004-TR-015
Page 182 and 183:
[Jackson 97] [Johnson 92] [Killcrec
Page 184 and 185:
[Vermont 01] [West-Brown 03] State
Page 186 and 187:
Context for PC: Prepare/Sustain/Imp
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Subprocess D1. Notice Events (react
Page 194 and 195:
Context for T: Triage Applicable Ta
Page 196 and 197:
T3. Assign Events • Can assign ne
Page 198 and 199:
Context for R: Respond Outputs - De
Page 200 and 201:
Context for R: Respond Coordinate T
Page 202 and 203:
A-18 CMU/SEI-2004-TR-015
Page 204 and 205:
GAISP HTML IDMEF IDS IODEF ISAC ISP
Page 206 and 207:
B-4 CMU/SEI-2004-TR-015
Page 208 and 209:
est practice business drivers busin
Page 210 and 211:
decision support system establish e
Page 212 and 213:
organizational CSIRT development pr
Page 214 and 215:
vulnerability vulnerability assessm
Page 216 and 217:
Incident Management Workflow Diagra
Page 218 and 219:
PI Protect Infrastructure Workflow
Page 220 and 221:
T: Triage Events Workflow Diagram F
Page 222 and 223:
R1: Respond to Technical Issues Wor
Page 224 and 225:
R3: Respond to Legal Issues Workflo
Page 226 and 227:
PC: Prepare/Sustain/Improve Mission
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Handoff from PC: Prepare/Sustain/Im
Page 234 and 235:
Page 236 and 237:
Handoff from PI: Protect Infrastruc
Page 238 and 239:
Page 240 and 241:
Handoff from D: Detect Events to T:
Page 242 and 243:
Page 244 and 245:
Technology-to-Person Handoff Handof
Page 246 and 247:
Page 248 and 249:
Handoff from R: Respond to PC: Prep
show all

vPLfv

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?