Incident Response is a field stuck in perpetual-firefighting mode, when it exists at all as a formalized unit. Yet as major breaches continue to happen, Incident Response proves to be possibly the most essential part of any Enterprise Security Program; in the words of Bruce Schneier:
“You can’t defend. You can’t prevent. The only thing you can do is detect and respond.
And yet, this most vital of components is still carried out as an arcane discipline, rarely measured or documented in a fashion that allows any measurement of its true effectiveness or value within the business. ITIL presents a framework for service maturity and capabilities within Information Technology, and has components for Incident Response, but this is for general Service Incidents, and only partially translate towards Intrusion Response. SIEM technologies present the capacity for extracting actionable information from system logs and data, but do little to directly enable effective workflow within the business unit.
In a series of documents on this subject, we will be laying out the groundwork for using SIEM and event correlation, to create a mature Security Incident Response program that can demonstrate and document repeatable, measurable processes, demonstrate ongoing value to the business beyond being merely a cost of doing business today, and provide business-relevant metrics that can fuel Business Intelligence analysis and demonstrate clearly resourcing requirements and gap analysis.