In Spain, companies still do not allocate special equipment for incident response and only some outsource this type of services in the Security Operations Center.
This graph seeks to represent the phases of the incident management cycle and the care groups that should deal with it in each phase. At this point no one will be surprised to see a cycle similar to that of Demming (Plan-Do-Check-Act) as the central axis of the tasks.
In Spain, companies still do not allocate special equipment for incident response and only some outsource this type of services in the Security Operations Center.
This graph seeks to represent the phases of the incident management cycle and the care groups that should deal with it in each phase. At this point no one will be surprised to see a cycle similar to that of Demming (Plan-Do-Check-Act) as the central axis of the tasks.
The different phases of the cycle are:
Plan: The organization prepares to defend its IT infrastructure and data by assessing its risks and security status. It is about understanding what the possible threats are and whether or not we are vulnerable to them. The check of vulnerabilities and the intrusion tests can be activities of this phase since they serve to avoid the detection of the fault by others being the ones who worry about finding holes in our infrastructure.
The planning phase allows the organization to design a more robust information security architecture against common or more trivial attacks. It allows the Organization not to be exposed with the continuous vulnerability scans that are already carried out daily through the Internet looking for potential easy victims.
Resist: Having planned its defense tactics and strategies, and implementing the appropriate components of its security architecture, the organization must resist attacks. This implies the use of perimeter protection technologies that make it the first barrier and retaining wall against already targeted attacks. Intrusion detectors and more proactive tools such as IPS can also eliminate a lot of noise from automated attacks using more sophisticated tools.
Filter unwanted network traffic in both incoming and outgoing directions, malware infections (as far as possible), establish data access control mechanisms and applications based on robust authentication methods, etc. Note the use in this phase of the term "resist", where we already assume that we have to respond to an intentional aggression.
Detect: Since it is naïve to expect that the organization will be able to resist all intrusion attempts, efforts must be devoted to detecting signs of penetration into our systems. This implies having visibility and monitoring at all levels of the infrastructure (networks, applications, data, etc.) and intrusion detection tools based on anomalous usage patterns through extrusion, performing change detection, collecting and reviewing records, and so on. The data collected in the detection phase is critical to investigate the extent of the intrusion once it has been discovered. Many organizations do not implement this phase correctly and do not collect digital evidence that then allows them to take legal action if the gravity of the matter requires it.
Act: Once the incident has been detected, the organization mobilizes to respond to the intrusion. This process usually involves understanding the scope of the incident, the situation, and its resolution. The analysis of the facts once the conflict is resolved should serve to learn from the mistakes and should contribute to improving the initial planning phase of protections of the new cycle that begins.
What is basic and essential is to learn from mistakes. An incident is not solved when the attack ends but when any remote possibility that the events can be repeated is mitigated. Man is the only animal that stumbles twice on the same stone.
However, good management of the life cycle of an incident must avoid precisely that second stumble. The tool that Google makes available to network administrators will improve the detection phase and therefore, will serve to make the body act and strengthen against the attacks already detected.
It is not a question of believing that one is safe but of having constancy and data that objectify it. Keeping the score of good vs. bad at zero is the goal. The only problem is that the match has a start time but never an end time. You have to maintain tension always... because the bad guys don't knock on the door and will look for the slightest carelessness to get in. There is a huge disproportion between the effort of the defender and the attacker.
Source: Javier Cao Avellaneda
Authors: Computer Security News
