Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore the system to normal service operations as soon as possible, and prevent further recurrence of the incident. It involves not only responding to incidents, but also triggering alerts to prevent potential risks and threats. Security administrator must identify software that is open to attacks before someone takes advantage of the vulnerabilities.
IT incident management is an area of IT service management (ITSM) wherein the IT team returns a service to normal as quickly as possible after an interruption, during a way that aims to make as little negative impact on the business as possible. You can learn the incident management in ECIH v2. Infosavvy provides the ECIH v2 Training and Certification of ECCouncil.
Incident management includes the following:
- Vulnerability analysis
- Artifact analysis
- Security awareness training
- Intrusion detection
- Public or technology monitoring
purpose of the incident management process:
- Reduces impact of incidents on business/organization
- Meets service availability requirements
- Increases staff efficiency and productivity
- Improves user/customer satisfaction
- Assists in handling future incidents
- Improves service quality
Conducting training sessions to spread awareness among users is an important part of incident management. They help end-users better recognize suspicious events or incidents with ease, and be able to report an attacker’s behavior to the appropriate authority.
The following people perform incident management activities:
- Human resources personnel can take steps to fire employees suspected in harmful computer activities.
- Legal counsel sets the rules and regulations in an organization. These rules can influence the internal security policies and practices of the organization in case an insider or an attacker uses the organization’s system for harmful or malicious activities.
- The firewall manager keeps filters in place where denial-of-service attacks are made frequently.
- An outsourced service provider repairs system infected by viruses and malware.
- Incident response is one of the functions performed in incident handling. Incident handling is one of the services provided as part of incident management. The diagram in the slide illustrates the relationship between incident response, incident handling, and incident management.
Incident Management Process
Incident management is the process of logging, recording, and resolving incidents that take place in the organization. The incident may occur due to fault, service degradation, error, and so on. The users, technical staff, and/or event monitoring tools identify the incidents. The main objective of the incident management process is to restore the service to a normal state as quickly as possible for customers, while maintaining availability and quality of service.
Related Product: Certified Threat Intelligence Analyst | CTIA
Steps involved in the incident management process;
Preparation for Incident Handling and Response:- All the actions are pre-planned and detailed guidelines are provided to the employees at this step. Various policies and procedures are established to stay well equipped. Right people with appropriate skills are trained by providing tools to ensure effective response actions.
Detection and Analysis:- In this step, security events are monitored and carefully analyzed using firewalls, intrusion detection and prevention systems, etc. Detection and analysis of incidents include identifying signatures of an incident, analyzing those signatures, recording the incident, prioritizing various incidents and alerting incidents.
Classification and Prioritization:- Each incident is categorized and sub-categorized to troubleshoot the incident securely. It helps in saving a lot of time. Accurate categorization helps to allocate the management to the right team that has the appropriate knowledge and skills to handle the situation in real time. Moreover, depending on the impact of incident, events are classified as a low, medium or high priority incident. Prioritization is done based on the severity, urgency, resource requirement, potential cost, etc.
Notification:- After the incident has been identified and classified, suitable people and teams are notified about the problem. People having appropriate knowledge and training against the breach are employed to consider the situation and perform all the required actions at the right time. All the required people, including the third party, Head of Information Security and Local Information Security Officer, etc. are provided with regular status updates.
Containment:- Containment is a crucial step in the incident management process that focuses on preventing additional damage. It includes planning of strategies to avoid any further loss from taking place along with being assured that no forensic evidence is destructed or tempered related to the incident.
Also Read:- What is an Information Security Incident?
Two important aspects need to be taken care of and they are:
• Ensuring all the critical and essential computer resources are kept and protected at a Safe place
• Regular check on infected system is done to know their operational status.
Forensic Investigation:- Forensic investigation is performed to find the root cause of the incident to know what exactly happened to the information system. The analysis of past records is performed using various forensic tools to detect the source of the attack and to capture the culprit. The whole process is well documented, as it is required in case of external threats for law enforcement. System logs, real-time memory, network device logs, application logs and all other supporting data are scanned and reviewed during investigation.
Eradication and Recovery:- The eradication and recovery step is the process of recovering the system or network to its original state. This process is done only after the completion of all internal and external actions. The two important aspects of this step are cleanup and notification. Cleanup is performed using various antivirus software’s, uninstalling infected software, reloading the operating system, and also sometimes replacing the entire hard disk and rebuilding the network. All the professionals working with the incident response team are notified about the actions taken to recover the system or network.
Questions related to this topic
- What are the five steps of incident response in order?
- What is incident response procedure?
- What are the six steps in the Incident Response methodology?
- How do you handle security incidents?
Get More Knowledge by CTIA
- What is Incident Management?
- What Is Threat Assessment?
- What Do Organizations and Analysts Expect?
- Threat Intelligence Capabilities
- Benefits of Cyber Threat Intelligence
- Capabilities to Look for in Threat Intelligence Solution
- Characteristics of Threat Intelligence
- Definition of Intelligence and Its Essential Terminology
- Advanced Persistent Threat Life-cycle
- Top Categories Indicators of Compromise
- Cyber Threat Intelligence Requirements
- Intelligence-Led Security Testing
- Generation of Threat Intelligence
- Adversary activity Identification
- Cyber Threat Actors
- Ideal Target State of Map
- Types of Threat Intelligence
- Threat Intelligence Lifecycle
- What is Threat Intelligence, Information & Data ?
- Frameworks of Threat Intelligence
- Avoid Common Threat Intelligence Pitfalls
- Priority Intelligence needs
- Identify Intelligence needs and requirements
- Sharing Intelligence with a spread of Organizations
- Distribute Threat Intelligence Overview
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com