SIEM for ITIL Incident Response - Part 2 - AlienVault

More documents

Recommendations

Info

83 - Defined“Processes Characterized for the Organization, and is Proactive”Security Monitoring is now aligned to the organization itself, alerts now trigger not only onpublicly-available technically-driven detection methods, but on deviations from knownbusiness processes and policies. Incident Handling work is tracked in a system customized totrack business-specific data alongside technical findings, integration with Asset Managementand Change Management to pull in data directly relevant to an incident is in place. Informationgathering procedures have become largely automated and workflow has evolved from a simpletracking systems towards a more pervasive Incident Management Platform. Metrics can beproduced by tying activities to business components and gap-analysis resourcing begins to bepossible.• Incident Response as an ongoing Quality Assurance process for InformationSecurity, Informed and integrated with Governance, Risk and Complianceprocesses.• Dedicated staffing across several levels of experience and seniority; manyrepeatable managed processes in place to allow junior staffing for predictable,repeatable actions.• Processes have a defined, multi-stage lifecycle with specific procedurerequirements for transitioning between these stages. Monitoring is constructedto correlate to business risks and the majority of all alerts are predictablyactionable.• Workflow tracking is in place to identify resource costs within specific areas ofthe incident handling process (either within the Incident Response team, or inrelation to particular business units), from actual data not perception.• Metrics have become more normalized to the overall business, and can beconsumed by other business units to support those metrics.• Intelligence data is consumed from external sources, and programmaticallymapped to workflow and alerting systems; broad scale definitions of Enterprisespecificthreat trends are possible to construct.Typical Configuration:Alerts constructed based on business-specific knowledge, not generalized technical vectors.SIEM is the main driver of alerting and correlation rule output fuels an incident managementworkflow system that supports collaboration and lifecycle stages, with some documentmanagement and knowledge bases, tied into asset and project management (very likely a retooledChange Management system). Not uncommon to find large amounts of automationscripting tying together functions missing from COTS solutions.
9Flow DiagramSecurityControlSecurityControlSecurityControlCriticalSystemCriticalSystemCriticalSystemSIEM may have someIncidentManagementTrackingLog AggregationLog CorrelationSIEM may have someAsset ManagementCapability/IntegrationAsset ManagementSIEMIncidentRecordsCorrelation RuleTuningPopulateIncidentRecordList of CorrelatedAlerts Prioritized ByAssetRoot Cause InvestigationRisk ManagementOrg ManagementChangeManagementConfigManagementIncident Response AnalystsRecord Resolutionin Incident RecordEscalate To RemediateIncident/Issue(Where these are available)
Page 2: 2ForewordIn the previous installati
Page 5 and 6: 5Flow DiagramWe’ve been Breached
Page 7: 7Flow DiagramSecurityControlSecurit
Page 11 and 12: 11Flow DiagramSecurityControlSecuri
Page 13 and 14: 13Flow DiagramSecurityControlSecuri
Page 15 and 16: 151 - INITIALBy definition, there c
Page 17 and 18: 173 - DEFINEDAt this stage, Inciden
Page 19 and 20: 195 - OPTIMIZINGFinally we arrive a

SIEM for ITIL Incident Response - Part 2 - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?