explores techniques for improving the efficiency
of the three major components of threat response: incident
management, threat investigation, and threat mitigation.
1.Understand the importance of automating incident management and threat investigation processes
2.Review common threat mitigation techniques and see how they
can be applied through automated means
Incident Management and Threat Investigation:
Incident management is a highly complex undertaking.
Imagine the myriad pieces that make up the management
of a single incident: all the people with roles to play, all the
data and metadata that’s collected and generated, and all the
manual and automated actions that have to be taken to investigate and mitigate the incident, as well as recover from it.
To maintain effective control over incident management,
an organization needs a case management system, also
known as an incident management system. This system
provides a secure, centralized home for storing, accessing,
and analyzing all information being tracked related to the
management of an organization’s incidents.
1.Review the status of all current incidents to
reprioritize response efforts.
2.Identify issues to escalate to management.
3. Ensure that investigations are progressing.
4.Determine that multiple incidents are actually different views of the same larger incident.
Organizations with more mature incident management capabilities may also find case management systems invaluable in
helping to generate metrics, such as the mean time to detect
(MTTD) and mean time to respond (MTTR) measurements
discussed in Chapter 2, “Understanding Threat Management.”
Metrics such as these allow an organization to assess its
response processes over time and set goals for future
Workflow and collaboration facilitation
As already mentioned, handling an incident can involve many
people, ranging from security, system, and network analysts
to other IT professionals, as well as IT and organizational
management and, potentially, human resources (for an internal threat), public relations (for public notification), facilities
management (for physical security breaches), and other
Secure collection of supporting data
Although an organization’s SIEM already centralizes secure
collection of much of its security event information, additional
information is often needed after the incident is declared. For
example, an incident handler may use various tools to collect
information from a compromised host’s hard drive. This
information may require further analysis by other incident
handlers, and it may also need to be shared with system
administrators so they can look for similar changes to other
Threat mitigation is an important part of threat response
processes. In some cases, every second counts when it comes
to stopping an active attack that’s damaging the organization
and putting valuable assets at risk.
Common mitigation techniques
1. Terminate malicious network connections.
2. Reconfigure network-based security controls, such as next-generation firewalls or intrusion prevention systems, to block all network connections with particular attributes (such as a source IP address
associated with malicious activity).
3.Disable all user accounts that the threat is utilizing.
4. Kill unauthorized or compromised processes running on hosts.
5.Disable or block access to a vulnerable service.
6. Quarantine a targeted host (such as on a remediation virtual local area network (VLAN)) or disable its network access altogether.
7. Remotely wipe a lost or stolen laptop or mobile
Mitigation used to be a solely manual process, with the
incident response team asking security, system, and network
administrators to perform necessary actions. Today SIEMs
offer robust, automated capabilities that greatly speed
Sub-Zero Group Keeps Its Cool:
To streamline its threat response processes, Sub-Zero Group looked
for a security solution offering the following:
1.Centralized storage for and access to all security log data
2.Strong capabilities for correlating security events across logs
to bring the pieces of individual events and series together
3.An easy-to-use yet powerful interface for administrators
conducting searches, investigating potential incidents, and
———————————————Collected from Definitive Guide™ to Security Intelligence and Analytics————————————————————————–https://logrhythm.com/pdfs/3rd-party-whitepaper/lr-definitive-guide-to-security-intelligence-and-analytics.pdf————————————