Incident Response
Student’s Name
Institutional
Affiliation
Incident Response
Question One
An incident response process involves an allocation of procedures and processes that seek to identify, evaluate and respond to probable security and safety events. The objective of the evaluation and response approach is to minimize the impact created by the risk and facilitate swift recovery. The primary efforts that would be included in the incident response system would be the prioritization of assets and an understanding of the baseline (Ahmad, Hadgkiss, & Ruighaver, 2012). The establishment of the baseline includes considering the network segments or information sets that would harm the business and ensuring that they are safeguarded. Quantifying top-tier assets and applications as well as communicating and collaborating with the subordinates and management will ensure that the organization remains at the forefront of any challenges. Vulnerability analysis, application performance observation, and net flow tools need to be used to identify anomalous behavior (Werlinger, Muldner, Hawkey, & Beznosov, 2010). A significant attempt that may be included in the incident response is the creation of situational awareness and pursuit of threat intelligence. The integration of the components ensures that the members follow a systematic team structure to deal with the issue.
Question Two
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) play an essential role in the incident response process as they identify and prevent possible presages from harming the organization. IDS monitor and detect any efforts by unauthorized parties to access and manipulate the firm (Liao et al., 2013). The framework works through querying and logging events into a company’s security system, generating an alert that prompts a response. More often, IDS checks the system against any form of threat signature and may be stored in a server. IDS can also assist in the event notification and determination process by issuing an alert in cases of imminent threats. IPS is an advanced IDS that stops any imminent risk or works with a peripheral system to eliminate an impedance (Patel, Qassim, & Wills, 2010). The systems are designed to carry out real-time countermeasures that will prevent penetration once the system fails to recognize an attack.
Question Three
The National Institute of Standards and Technology (NIST) launched NIST SP800-61, Rev. 1 to counter portent incidents effectively. Incident response capabilities require adequate planning and resources considering the complexity of various threats. The NIST guideline takes into account three stages that include preparation, recognition and investigation, control, eradication and resurgence, and post-incident action (Johnson et al., 2016). Through these stages, it is possible to identify and classify threats that will lead to the pursuit of event-handling procedures that will deal with the problem. NIST SP800-61, Rev. 1 accounts for its capabilities through the inclusion of various policies and processes, documentation, monitoring, communication, and mitigation tools, as well as an incident response team. The handling guide ensures that correlation and analysis of events are done to locate potential threats that may have been ignored (Souppaya & Scarfone, 2013). Furthermore, the guide establishes criteria for determining the most appropriate containment strategy based on factors such as time and required resources, the need for evidence preservation, the feasibility of the approach, and solution duration.
Question Four
Log management
systems are essential components of any organization because they ensure that
events within the networks are queried and evaluated for any impending risks. The system can also identify the causative factors of
a threat (Bhatt, Manadhata, & Zomlot, 2014). For instance, records
that are tied to user identity can be
evaluated to determine the source of any threat. Splunk Inc. designed a
contemporary software known as Splunk that
searches, monitors, and analyzes machine-generated extensive data, through a Web-style interface (Carasso, 2012). Real-time
data is correlated in a searchable
repository that generates information in graphs and visualizations. The system
also details the time and IP address of the host. It is useful in the incident
response process as it may provide details regarding the source as well as the
reasons behind the attack.
References
Ahmad, A., Hadgkiss, J., & Ruighaver, A. B. (2012). Incident response teams – Challenges in supporting the organizational security function. Computers & Security, 31(5), 643-652.
Bhatt, S., Manadhata, P. K., & Zomlot, L. (2014). The operational role of security information and event management systems. IEEE Security & Privacy, (5), 35-41.
Carasso, D. (2012). Exploring Splunk. New York, NY: CITO Research.
Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Guide to cyber threat information sharing. NIST Special Publication, 800, 150.
Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
Patel, A., Qassim, Q., & Wills, C. (2010). A survey of intrusion detection and prevention systems. Information Management & Computer Security, 18(4), 277-290.
Souppaya, M., & Scarfone, K. (2013). Guidelines for managing the security of mobile devices in the enterprise. NIST Special Publication, 800, 124.
Werlinger, R., Muldner, K., Hawkey, K., & Beznosov, K. (2010). Preparation, detection, and analysis: The diagnostic work of IT security incident response. Information Management & Computer Security, 18(1), 26-42.