Building an Effective Incident Response Framework Infographic

February 11, 2014 | Jaime Blasco

Organizations are bombarded with potential threats every day. Most of these are small and irritating, not truly critical—but among those needles are little threads of larger actions at work. An incident response program enables you to pull out the needles that make up the haystack of the big picture.

The ultimate goal of an incident response program is not only to effectively contain a single incident, but to start modeling the techniques of an attack. Incident response is based on an approach that detects and enumerates the steps taken by an attacker to compromise a system. The incident response team then uses this information to drive future incident response activities. In this model, a behavior that may have seemed benign before analysis can act as a predictive indicator of a larger attack.

Building an incident response framework allows an organization to bring in vast quantities of enterprise and security data; build relationships among that data; and present it in a single, unified workflow. This workflow presents both the business and technical information in a single view. Analysts can spend much less time learning individual security control technologies and much more time analyzing, finding patterns, and making response decisions.

The key concepts to a successful incident response program are as follows:

  • Act on what you can manage—execute on what you know how to respond to effectively.
  • There is no boilerplate security policy that works for an organization all the time, outside of regulatory requirements. Remember—business processes define policy, not vice versa.
  • Security monitoring is an essential and foundational aspect of any incident response program.

As the name implies, incident response involves responding to some indicators of an actual or potential incident—indicators that are detected through security monitoring. Indicators are contextual information drawn from a number of technical and administrative sources. Check out the infographic below to learn more about how to build an effective framework for incident response.

Incident response is based on an approach that detects and enumerates the steps taken by an attacker to compromise a system.

For more information about incident response, check out our webcast, Threat Detection and Incident Response: What's New for 2014. In this session, Mike Rothman, President of Security Analyst firm Securosis, and Jaime Blasco, Director of AlienVault Labs, will give an overview of key changes in the information security world in 2013 and considerations for adapting your 2014 strategy to stay ahead of threats.

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientest at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›