SIEM for ITIL Incident Response - Part 2 - AlienVault

More documents

Recommendations

Info

125 - Optimizing“Focus on Process Improvement”Incident Response begins the transition towards Exposure Response, as Exposures and Risksare mapped together from decision making workflows and Configuration Management SystemsUnderlying technologies in Incident Management become effectively transparent to analysts forall predictable tasks. Threat, Risk and Configuration data is processed into a just-in-timeworkflow of expedient discovery and remediation of security posture weaknesses.Incident Response evolves from a firefighting and garbage collection department struggling toavert disaster, into a real-time process and risk monitoring unit enabling process steering andcontinuous improvement.• Incident Response as business enabler and continuous corrective control, consumingvast amount of operational data from the enterprise, correlating it all into a continuousstream of remediation and advisory output to all business units, the IT Early WarningNetwork.• Teams now contain a wide range of skills and skill levels; more senior staff is lessconcerned with direct investigation than programmatically embedding their knowledgeinto the Incident Management Platform and addressing high-level patterns andrecommendations.• All Process and Procedure is embedded into and directly enabled by the SIEM andWorkflow platform.• Workflows contain almost all possibly relevant information presented inline, and handoffinterfaces to any external workflow systems necessary. The single-portal model.Technical Data,Risk and Business Operations information, External Intelligence, unifiedinto a single interface.• Metrics now directly supporting Enterprise Risk Management via large quantities ofhistorical correlative and causal measurements of previous results.• Incident Response finally becomes Active Security Intelligence, directly guiding theEnterprise away from Incidents via adaptive intel generation.Typical Configuration:A typical configuration likely does not exist at the time of writing: this stage of maturitydescribes a level of integration and capability of software platforms and data processing thathas not yet reached commercial availability.
13Flow DiagramSecurityControlSecurityControlSecurityControlCriticalSystemCriticalSystemCriticalSystemLog AggregationSIEM may have someAsset ManagementCapability/IntegrationPolicy ManagementLog CorrelationAsset ManagementSIEMCorrelation RuleTuningEvent Aggregation toIntelligent Case GroupingsIncident RecordsSecurity Events are no automatically grouped into viable IncidentRecords by mapping entities to business roles.Org ManagementSIEM Incident Management PlatformRecord Resolutionin Incident RecordExternal Escalation and Tracking isnow part of the same app workflowEscalate To RemediateIncident/IssueChangeManagementRoot Cause InvestigationIncidents are continually mapped back to Risk Management to providetrue Business Root Cause AnalysisIncidents Are mapped to Configuration Management Data to close thewindow of exposure caused by changes.Risk ManagementConfigManagementIncident Response AnalystsAnalysts Now perform theirrecording in the IncidentManagement App, largely withinpre-generated records
Page 2: 2ForewordIn the previous installati
Page 5 and 6: 5Flow DiagramWe’ve been Breached
Page 7 and 8: 7Flow DiagramSecurityControlSecurit
Page 9 and 10: 9Flow DiagramSecurityControlSecurit
Page 11: 11Flow DiagramSecurityControlSecuri
Page 15 and 16: 151 - INITIALBy definition, there c
Page 17 and 18: 173 - DEFINEDAt this stage, Inciden
Page 19 and 20: 195 - OPTIMIZINGFinally we arrive a

SIEM for ITIL Incident Response - Part 2 - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?