SIEM for ITIL Incident Response - Part 2 - AlienVault

More documents

Recommendations

Info

14A Service Catalog Selection for Incident Response MaturityThe first step toward building an ITIL-Mature Incident Response program is to explicitly definea service catalog from which to build metrics and SLA's around.ITIL v3 in particular, now stressed the importance of the Service Catalog as the centerpoint fordeveloping process maturity around. The present state of information Security makes it adifficult stand to take in focusing on the desired outcome instead of the problems, since theproblems seem so insurmountable. Inevitably, for any organization born from emergency andfirefighting duties, the desire to succumb to explaining away the workload as “toocomplicated, too unpredictable” to be derived down into discrete service operations. As withall tasks of this sort though, starting with broad strokes, and then subdividing down proveseffective.In the following sections, we present a selection of possible Service Catalog offerings todevelop. As with many aspects of CMMI, not all of these are mandatory for each stage ofmaturity, and should be adapted to the requirements of the business they serve.DetectionThe core of Incident Response, and the portion most applicable to automation andcontinuous improvement. The scope of this function presents many opportunities foradditional value to deliver to the business however, and need not be constrained onlyto malicious interference.RemediationAlthough this function has much overlap with Security Operations and RiskManagement, Incident Response has a key place in coordinating effective remediationof discovered problems, advising on effective remediation procedures, validating thatchanges rectify the initial issue and being a point of coordination and exchangebetween business units tasked in remediation work.Metrics SupportIntelligenceA key point of difficulty in Information Security today; providing actionable, illustrativemetrics from Security Operations that can context value received in the scope of theglobal Theater. Security Monitoring has a unique visibility to Enterprise infrastructurethat presents great potential for adding value to the Enterprise by providing metricsdata to other business units they would otherwise lack visibility to. All metrics here areexternally-facing metrics to support other units within the information securityorganization or beyond.Finally, the combination of the three preceding service areas: Intelligence build fromobservable results of current and prior actions and events to advise and guide futuretasks
151 – INITIALBy definition, there can really be no service catalog at this stage of maturity, however we canat least list what the inferred services are, from which to use as a base to build out anevolving catalog from:Detection• Intrusion Detection1. Discovery of Scope of Intrusion2. Discovery of Vector of IntrusionRemediation• Disaster Recovery1. Restoration of Compromised Systems.• Business Continuity1. Remediation of Vector of IntrusionMetrics Support• NoneIntelligence• None
Page 2: 2ForewordIn the previous installati
Page 5 and 6: 5Flow DiagramWe’ve been Breached
Page 7 and 8: 7Flow DiagramSecurityControlSecurit
Page 9 and 10: 9Flow DiagramSecurityControlSecurit
Page 11 and 12: 11Flow DiagramSecurityControlSecuri
Page 13: 13Flow DiagramSecurityControlSecuri
Page 17 and 18: 173 - DEFINEDAt this stage, Inciden
Page 19 and 20: 195 - OPTIMIZINGFinally we arrive a

SIEM for ITIL Incident Response - Part 2 - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?