IDS mailing list archives
RE: IDS Incident Escalation Procedure
From: "Dimitrios Patsos" <dpat () space gr>
Date: Tue, 18 Sep 2007 09:38:08 +0300
Hi all, I've recently co-authored a paper for the current state of the art in Incident Response, called "On Incident Handling and Response: A state-of-the-art approach. It provides guidelines for the formation of an Incident Handling Team, the points of contact,methodology and procedures. It's under property of Elsevier Computers & Security 25(5):351-370,2006, but I'm pretty sure that it can be found somewhere online. Hope this helps. Dimitrios Patsos Ph.D.(Cand.),M.S.c,CCDA,CCSE,CME,CHFA -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of khushbu.jithra () gmail com Sent: Monday, September 17, 2007 08:02 To: focus-ids () securityfocus com Subject: Re: IDS Incident Escalation Procedure Hi Jim, Usually, an Incident Escalation procedure for an IDS stems from 1. The structure of the core Incident Response Team 2. Adherence to any higher level policy, if required (in line with escalation matrices defined in the business continuity plans) 3. SLAs signed with clients - internal and external One suggested team structure is 1. Computer Incident Response Team (CIRT) leader 2. Incident Handler 3. Database Administrators 4. Legal Counsel Now depending on the nature and category of alerts coming from the IDS, an incident can be escalated from the incident handler to CIRT leader to database admin to Legal Counsel. Also, the escalation may vary depending on the severity of alerts. As Vijay rightly pointed, you can refer to the NIST SP 800-61 publication, the Incident Notification section. This provides a sample list of parties which are usually notified. HTH, Khushbu Jithra Information Security Consultant NII Consulting Web: http://www.niiconsulting.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IDS Incident Escalation Procedure jimmy wong (Sep 05)
- Re: IDS Incident Escalation Procedure Vijay K (Sep 07)
- Re: IDS Incident Escalation Procedure Jerry Dixon (Sep 10)
- <Possible follow-ups>
- RE: IDS Incident Escalation Procedure john lokka (Sep 06)
- Re: IDS Incident Escalation Procedure khushbu . jithra (Sep 17)
- RE: IDS Incident Escalation Procedure Dimitrios Patsos (Sep 18)
- RE: IDS Incident Escalation Procedure Simon Taylor (Sep 18)
- Re: IDS Incident Escalation Procedure Vijay K (Sep 07)