Now that you’ve got the tools and infrastructure, it’s over to you!
While the task may seem overwhelming, remember that you’re not alone. You can organize your incident management with the help of the other people involved.
Define a Battle Plan
There are several steps in managing an alert:
Classify the severity of the alert.
Investigate in order to identify the cause.
Contain the incident and stabilize the situation.
Resolve the cause of the incident.
Close the incident.
Organize Your Security Incident Management
Organization of the Service Center
Traditionally, SOCs have been organized in a similar way to IT support, using tickets and levels.
Level 1 monitors the logs to detect incidents. This level focuses on escalating alerts to the next level in the event of abnormal behavior.
Level 2 deals with alerts escalated from level 1. Here, the goal is processing the incident and repairing any damage the incident caused.
Level 3 tries to look at the bigger picture. Here, we monitor trends, identify threats, and continuously improve our detection processes and capabilities.
A Contemporary Model
Most modern SOCs can get a higher-level view with this three-level model.
In practice, a large part of the detection process is performed automatically these days. The detection and response tools introduced in the previous chapters enable you to automate a significant part of the Level 1 SOC task.
Also, this organization is quite reductive. You’re likely to get tired of focusing only on detection tasks, whereas being involved in incident response gives you insight into what needs to be detected.
Modern SOCs generally try to make the best of this insight and the creativity of analysts to improve the detection process.
Understand the Context of Your Organization
Detecting incidents and effectively processing them involves numerous interactions with the rest of the organization.
Security Team
Beyond the SOC, there may be other people working on security in your organization, such as an audit team, a compliance team, and so on.
They are all managed by the CISO (Chief Information Security Officer) and their team.
Their role is to identify the actions to be taken to increase the overall level of security and to manage each security project. This may involve assisting with the creation of the SOC, building awareness, commissioning and monitoring audits, introducing new classifications, and more.
The security team is responsible for risk analysis and setting priorities. They often have a more comprehensive overview than the various specialist teams.
Information Systems Department
The CISO works alongside a CIO (Chief Information Officer) and their team. The term IT or IS Department is often used to describe the department that groups together all the teams that manage IT.
It is the IT / IS Department that manages all IT-related projects and must arbitrate between the various teams.
Business Teams
More generally, it’s essential for you to have a good understanding of the rest of the organization.
In the previous section, we established that you need to detect unusual behavior. But how do you identify what’s normal and what’s unusual?
The one way to achieve this is by having a thorough understanding of how your organization works.
Those who have the best knowledge of how the various systems function are the teams who work with them! Of course, we’re talking about business teams. These teams can help when you need to investigate behavior to determine whether it is normal or not. And as soon as you have to respond to incidents, you’ll need to work with them to minimize the impact on their work.
Take the time to prepare for these moments and make sure you have a good understanding of the organization. Here are a few tips:
Request an inventory from the IS department. (How can you protect your organization unless you know its components?).
Prepare organizational charts.
Identify the contact person for the various systems.
Collect and archive technical architecture and similar documents.
Make Monitoring Easier with a SIRP
Implement appropriate tools and procedures to facilitate your communication with business teams.
Select a SIRP (Security Incident Response Platform) tool. It can be a ticket management tool, a kanban board, or any other communication tool. It provides you with an interface to communicate with other teams in the organization about:
actions to be taken to resolve incidents.
your requests to set up detection.
monitoring measures taken during an emergency.
communication with business teams: who has been contacted, do we need to contact them again, etc.
We’ll learn how to use SIRP to document all incident management actions in the next section.
Dive into the world of SOC in this video where Raphaël and Guillaume talk about the organization of their respective teams.
Interact With Teams Involved in Incident Management
Incident management may require you to bring in additional reinforcements. In this situation, the SOC can call on specialized security teams: A CSIRT (Computer Security Incident Response Team) is a team specialized in incident response, also known as a CERT (Cyber Emergency Response Team).
These teams focus on incident management and resolution rather than detection. In practice, these different functions can also exist within the SOC.
Let’s Recap!
Incident management follows five key steps: classification, investigation, containment, resolution, and closure.
Understanding how the company works and having access to precise information is essential for diagnosing situations and responding effectively. Useful information includes an organizational chart, contacts, asset inventories, and technical architecture documents.
Many teams are involved when managing an alert or incident, so take the time to get to know them and maintain good relations with them.
ITSM platforms allow us to easily track incidents and organize the work of several people, including ticket management, prioritization, enrichment, and collaboration.
In the next section, we’ll take a look at how to manage an incident by following the steps outlined above. But first, here’s a short quiz to test you on the first part of this course!
